Closed Bug 1716129 (CVE-2021-29987) Opened 2 years ago Closed 2 years ago

Moving Permission Panel with Click Still Registered in Default Position on GTK

Categories

(Core :: Widget: Gtk, defect)

Unspecified
Linux
defect

Tracking

()

VERIFIED FIXED
91 Branch
Tracking Status
firefox91 --- fixed

People

(Reporter: sourc7, Assigned: stransky)

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [clickjacking our UX][reporter-external] [client-bounty-form] [verif?][adv-main91+])

Attachments

(6 files)

After request multiple permission at the same time, then after first interaction to the permission panel, the second permission panel will moving to another position with click button still registered on default position, which lead user unintentionally click "Allow" on the permission button.

I noticed it currently affects Linux distributions that use KDE as the desktop environment:

  • Kubuntu
  • openSUSE
  • KDE Neon
  • Fedora KDE
  • Manjaro KDE

When using mozregression the permission panel is moving out after checkout to commit Notification anchors are not hidden when the user types in the location bar.

Tested on:

  • Arch Linux with KDE as default Desktop Environment
  • Kubuntu 21.04 on VM

Steps to reproduce:

  1. Open Firefox on KDE (desktop environment)
  2. Visit attached moving-permission-panel.html
  3. When first permission dialog appear then press 'esc'
  4. The second permission dialog will appear on another position with click still registered on original doorhanger position
  5. Click on "Click to Continue" button
  6. Microphone or geolocation permission is now allowed
Flags: sec-bounty?
Summary: Permission Panel Moved with Click Still Registered in Default Position on KDE Desktop Environment → Moving Permission Panel with Click Still Registered in Default Position on KDE Desktop Environment

Not seeing an issue on MacOS. Tyson sees a different positional weirdness on Gnome (only some of the time when he reloads) where the second permission panel shows up near the bottom of the screen rather than where it should.

Weirdly these look like pure "Firefox-styled" panels, they aren't OS widgets so why would the OS change the behavior?

gcp: do you know who works on platform widgets/drawing these days?

Type: task → defect
Flags: needinfo?(gpascutto)
Keywords: csectype-spoof
OS: Unspecified → Linux
Keywords: sec-moderate
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [clickjacking our UX][reporter-external] [client-bounty-form] [verif?]

Oof, this is tricky. Most of out Linux platform widget work is done by Red Hat these days. But they ship GNOME, not KDE, so not sure how reasonable it is to ask them.

Tyson sees a different positional weirdness on Gnome (only some of the time when he reloads) where the second permission panel shows up near the bottom of the screen rather than where it should.

Oh, okay, if we have STR on GNOME then stransky might be able to investigate.

Flags: needinfo?(gpascutto) → needinfo?(stransky)

Yes, I can reproduce it on Gnome too but in X11 mode only. I expect we use wrong popup parent / anchor so relative popup coordinates are wrong.

Flags: needinfo?(stransky)

This is a good old bug when gtk widget is not positioned when it's hidden. Will post a patch for it.

Group: firefox-core-security → core-security
Component: Security → Widget: Gtk
Product: Firefox → Core

Gtk on X11 tends to ignore widget position change requests when widget is not shown. Save the position requests when window is hidden and
apply that when it's shown.

Assignee: nobody → stransky
Status: NEW → ASSIGNED

I don't think this needs to be a security bug.

Group: core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

(In reply to Daniel Veditz [:dveditz] from comment #3)

Not seeing an issue on MacOS. Tyson sees a different positional weirdness on Gnome (only some of the time when he reloads) where the second permission panel shows up near the bottom of the screen rather than where it should.

It turns out I can also reproduce this on Ubuntu 20.04.2 LTS, the permissions panel moves to the bottom of the screen (as in the attached video) and it works every time after interacting with first permission request, and at some point the first permissions panel moves down automatically without any interaction to the panel.

(In reply to Martin Stránský [:stransky] (ni? me) from comment #8)

I don't think this needs to be a security bug.

In this case the
(In reply to Martin Stránský [:stransky] (ni? me) from comment #7)

Created attachment 9227852 [details]
Bug 1716129 [Linux/X11] Reposition GtkWindow when it's shown, r?jhorak

Gtk on X11 tends to ignore widget position change requests when widget is not shown. Save the position requests when window is hidden and
apply that when it's shown.

Summary: Moving Permission Panel with Click Still Registered in Default Position on KDE Desktop Environment → Moving Permission Panel with Click Still Registered in Default Position on GTK

(In reply to Martin Stránský [:stransky] (ni? me) from comment #8)

I don't think this needs to be a security bug.

In this case the when permission panel is moving the click position still registered on default position, which leads malicious websites able to trick the user to click "Allow" on the permission panel without the user realizing that click HTML5 button will also click "Allow" on the permission panel (i.e allow camera, microphone, and geolocation) (as on attached video above).

(In reply to Martin Stránský [:stransky] (ni? me) from comment #7)

Created attachment 9227852 [details]
Bug 1716129 [Linux/X11] Reposition GtkWindow when it's shown, r?jhorak

Gtk on X11 tends to ignore widget position change requests when widget is not shown. Save the position requests when window is hidden and
apply that when it's shown.

Thank you for the patch, I confirmed it fixed the issue on Arch Linux with KDE and Ubuntu 20.04.2 LTS on Firefox Nightly 91.0a1 (2021-06-20) (64-bit).

Status: RESOLVED → VERIFIED
Flags: sec-bounty? → sec-bounty+
Whiteboard: [clickjacking our UX][reporter-external] [client-bounty-form] [verif?] → [clickjacking our UX][reporter-external] [client-bounty-form] [verif?][adv-main91+]
Attached file advisory.txt
Alias: CVE-2021-29987
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.