Closed Bug 1753341 Opened 2 years ago Closed 1 year ago

Autofill prompt can render over cross-origin popup, allows spoofing of autofill context origin and browser UI

Categories

(Toolkit :: Autocomplete, defect, P3)

defect

Tracking

()

VERIFIED FIXED
114 Branch
Tracking Status
firefox-esr102 --- verified
firefox112 --- wontfix
firefox113 --- verified
firefox114 --- verified

People

(Reporter: bugzilla-mozilla, Assigned: emilio)

References

Details

(Keywords: sec-moderate, Whiteboard: [fixed by bug 1826622][adv-main113+])

Attachments

(3 files)

Attached video autofill-over-popup.mp4

VULNERABILITY DETAILS
Pages with carefully-positioned input fields can cause the browser to render autofill prompts over a cross-origin popup. This can be used to spoof the autofill context origin (by making the user think the prompt is associated with the popup's origin) or to spoof the address bar, cover/spoof permission prompts, cover window controls, or for other malicious purposes that involve covering the browser UI associated with the popup.

Depending on the autofill data targeted, either two or three user interactions are needed to initiate the attack.

A browser UI cover/spoof PoC would work similarly to bug 1753339, so I have not created separate PoCs for these scenarios. The root cause and fix may be the same as bug 1753339 but reporting separately due to different impacts and potentially different considerations.

VERSION
Firefox Version: 96.0.3 Stable (Build ID 20220126154723), 98.0a1 Nightly (Build ID 20220127094620)
Operating System: Windows_NT 10.0 19042

REPRODUCTION CASE
See attached video with recording of all PoCs.

The credit card PoC requires less interactions and is more likely to succeed due to the browser automatically showing the autofill prompt when the attacker page is focused. In comparison, the browser requires an additional user interaction with the input field.

For the basic PoC, window resizing is required since the attacker page needs to have keyboard focus, and focusing the initial window puts it on top of the popup, so the popup cannot overlap the initial window. This is an implementation detail; an advanced PoC can open attacker page in another popup, which adds another click to the repro steps but is more feasible than asking the user to resize their window. In cases where the user's window is already appropriately sized, the advanced PoC can omit the extra popup/click.

Also see bug 1753339 for browser UI spoof PoCs that also work over popups.

PoC for address (multiple fields):
Prerequisite: Have at least one address in about:preferences#privacy -> Forms and Autofill -> Saved Addresses...

  1. Resize window so it's not maximized. For this basic PoC, move the window to allow at least 300px on the left of the window. This is a PoC implementation detail.
  2. Navigate to https://alesandroortiz.com/security/firefox/autofill-over-popup.html
  3. Click twice anywhere in page.
  4. Press down arrow once.
  5. Use mouse or keyboard to select an autofill entry.

PoC for credit card (multiple fields):
Prerequisite: Have at least one credit card in about:preferences#privacy -> Forms and Autofill -> Saved Credit Cards...

  1. Resize window so it's not maximized. For this basic PoC, move the window to allow at least 300px on the left of the window. This is a PoC implementation detail.
  2. Navigate to https://alesandroortiz.com/security/firefox/autofill-over-popup.html?creditcard
  3. Click twice anywhere in page.
  4. Use mouse or keyboard to select an autofill entry.

For all PoCs:
Observed: Autofill prompt is shown over different origin. Upon selection with mouse or keyboard, data is provided to attacker page.
Expected: Autofill prompt is not shown over different origin.

CREDIT INFORMATION
Reporter credit: Alesandro Ortiz https://AlesandroOrtiz.com

Alesandro, thank you for reporting this bug. Moving it to autocomplete component because autofill is using autocomplete to get the job done.

Perhaps solution is to clamp popup to the content area, but I'll leave it to more knowledgeable people to decide.

Component: Security → Autocomplete
Product: Firefox → Toolkit
See Also: → CVE-2023-32205
Summary: Security: Autofill prompt can render over cross-origin popup, allows spoofing of autofill context origin and browser UI → Autofill prompt can render over cross-origin popup, allows spoofing of autofill context origin and browser UI

This is a separate demonstration, but it looks pretty much like the same issue as bug 1753339. We'll hold on to this one for now and check back when that one is fixed to make sure this really is just a variant demonstration and not a separate bug.

Status: UNCONFIRMED → NEW
Depends on: CVE-2023-32205
Ever confirmed: true
Keywords: sec-other

The severity field is not set for this bug.
:mak, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mak)
Severity: -- → S3
Flags: needinfo?(mak)
Priority: -- → P3

Per comment https://bugzilla.mozilla.org/show_bug.cgi?id=1753339#c22, this still repros in 112.0.1 Stable (Build ID 20230414125621) but no longer repros in 114.0a1 Nightly (Build ID 20230421030443). Probably fixed as part of bug 1826622.

Can the team make sure this makes it into Stable as a security fix, along with any other relevant processes (such as marking this as fixed)?

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2023-32212
Resolution: --- → DUPLICATE

(In reply to Alesandro Ortiz from comment #5)

Per comment https://bugzilla.mozilla.org/show_bug.cgi?id=1753339#c22, this still repros in 112.0.1 Stable (Build ID 20230414125621) but no longer repros in 114.0a1 Nightly (Build ID 20230421030443). Probably fixed as part of bug 1826622.

Thanks for confirming.

Can the team make sure this makes it into Stable as a security fix, along with any other relevant processes (such as marking this as fixed)?

Yeah, that looks like it has already been uplifted to 113. 112 was released last week, so the patch came too late for that.

Although the underlying flaw turned out to be fixable at the same spot, in theory an autofill dropdown created by chrome-privileged code might have had different behavior than HTML datalist or select elements created in a web content context. It's better to make this set of testcases "depend on" the patched bug and have this bug marked fixed and independently verified.

Depends on: CVE-2023-32212
No longer depends on: CVE-2023-32205
No longer duplicate of bug: CVE-2023-32212
Resolution: DUPLICATE → FIXED
Whiteboard: [fixed by bug 1826622]
Group: firefox-core-security → core-security-release
Assignee: nobody → emilio
Target Milestone: --- → 114 Branch
Whiteboard: [fixed by bug 1826622] → [fixed by bug 1826622][adv-main113+]
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+
Attached file advisory.txt

I have reproduced this issue on Win 10 x64, with an affected Nightly build from (20220202214623).

The scenarios mentioned in comment 0, are not reproducing anymore on the latest builds, Nightly 114.0a1, RC 113.0 and ESR 102.11.0. Tested with Win 10 x64.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: