Closed Bug 1736053 Opened 3 years ago Closed 3 years ago

Security UI Spoofing due to a race condition when navigating a page and calling requestFullscreen at the same time

Categories

(Core :: DOM: Core & HTML, task)

Product:
Core
Component:
DOM: Core & HTML
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1730750

People

(Reporter: luan.herrera, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

index.html
977 bytes, text/html
Details
sw.js
86.42 KB, text/javascript
Details
Attached file index.html

When a user clicks on the attacker's page it is possible to redirect them to another page and use their activation to call document.documentElement.requestFullscreen (Fullscreen API) at the same time.

This causes a race condition where fullscreen will be invoked and the message notifying the user they entered fullscreen will try to be displayed, only to be canceled by the redirect.

Because the fullscreen message is never shown, the user is not capable of knowing they entered fullscreen, which allows an attacker to spoof the entire screen with attacker-controlled content.

Note that we can reliably win the race by serving the page we redirect the user to from a Service Worker as we need the page to load quickly for it to work.

A few issues somewhat similar to this one (hiding/preventing the fullscreen message from appearing) also existed in other browsers:
https://bugs.chromium.org/p/chromium/issues/detail?id=851302
https://bugs.chromium.org/p/chromium/issues/detail?id=550017

Here's a video reproducing the issue:
https://youtu.be/EuV2t5Z6J6E

VERSION
Version: 93.0 (64-bit)
Operating System: Windows 10

REPRODUCTION CASE

  1. Access https://lbherrera.github.io/lab/firefox/fullscreen-spoof-2f47e86/index.html
  2. Click anywhere on the page and after a moment you will see a spoofed Mozilla login page.

I have also attached the files used in the PoC - if you prefer, you can reproduce the attack by downloading and hosting index.html and sw.js on a web server.

CREDIT INFORMATION
Reporter credit: Luan Herrera (@lbherrera_)

Flags: sec-bounty?
Attached file sw.js
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Hi, can I get access to bug 1730750? Thanks!

I just CC'd you on the other bug -- sorry it took so long. Pretty much if a bug is resolved it's off our radar. Needinfo-ing a specific person involved with the bug is usually more effective (mail gets sent), and for bounty-related bugs you can always mail our security address or ping someone on our chat server https://chat.mozilla.org/#/room/#security:mozilla.org

Flags: sec-bounty? → sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: