1753341 - Autofill prompt can render over cross-origin popup, allows spoofing of autofill context origin and browser UI

Status: VERIFIED FIXED

(Toolkit :: Autocomplete, defect, P3)

Description

[Alesandro Ortiz]

Attachment: autofill-over-popup.mp4

VULNERABILITY DETAILS
Pages with carefully-positioned input fields can cause the browser to render autofill prompts over a cross-origin popup. This can be used to spoof the autofill context origin (by making the user think the prompt is associated with the popup's origin) or to spoof the address bar, cover/spoof permission prompts, cover window controls, or for other malicious purposes that involve covering the browser UI associated with the popup.

Depending on the autofill data targeted, either two or three user interactions are needed to initiate the attack.

A browser UI cover/spoof PoC would work similarly to bug 1753339, so I have not created separate PoCs for these scenarios. The root cause and fix may be the same as bug 1753339 but reporting separately due to different impacts and potentially different considerations.

VERSION
Firefox Version: 96.0.3 Stable (Build ID 20220126154723), 98.0a1 Nightly (Build ID 20220127094620)
Operating System: Windows_NT 10.0 19042

REPRODUCTION CASE
See attached video with recording of all PoCs.

The credit card PoC requires less interactions and is more likely to succeed due to the browser automatically showing the autofill prompt when the attacker page is focused. In comparison, the browser requires an additional user interaction with the input field.

For the basic PoC, window resizing is required since the attacker page needs to have keyboard focus, and focusing the initial window puts it on top of the popup, so the popup cannot overlap the initial window. This is an implementation detail; an advanced PoC can open attacker page in another popup, which adds another click to the repro steps but is more feasible than asking the user to resize their window. In cases where the user's window is already appropriately sized, the advanced PoC can omit the extra popup/click.

Also see bug 1753339 for browser UI spoof PoCs that also work over popups.

PoC for address (multiple fields):
Prerequisite: Have at least one address in about:preferences#privacy -> Forms and Autofill -> Saved Addresses...

1. Resize window so it's not maximized. For this basic PoC, move the window to allow at least 300px on the left of the window. This is a PoC implementation detail.
2. Navigate to https://alesandroortiz.com/security/firefox/autofill-over-popup.html
3. Click twice anywhere in page.
4. Press down arrow once.
5. Use mouse or keyboard to select an autofill entry.

PoC for credit card (multiple fields):
Prerequisite: Have at least one credit card in about:preferences#privacy -> Forms and Autofill -> Saved Credit Cards...

1. Resize window so it's not maximized. For this basic PoC, move the window to allow at least 300px on the left of the window. This is a PoC implementation detail.
2. Navigate to https://alesandroortiz.com/security/firefox/autofill-over-popup.html?creditcard
3. Click twice anywhere in page.
4. Use mouse or keyboard to select an autofill entry.

For all PoCs:
Observed: Autofill prompt is shown over different origin. Upon selection with mouse or keyboard, data is provided to attacker page.
Expected: Autofill prompt is not shown over different origin.

CREDIT INFORMATION
Reporter credit: Alesandro Ortiz https://AlesandroOrtiz.com

Comment 1

[Alesandro Ortiz]

Attachment: autofill-over-popup.html

Comment 2

[Sergey Galich [:serg]]

Alesandro, thank you for reporting this bug. Moving it to autocomplete component because autofill is using autocomplete to get the job done.

Perhaps solution is to clamp popup to the content area, but I'll leave it to more knowledgeable people to decide.

Comment 3

[Daniel Veditz [:dveditz]]

This is a separate demonstration, but it looks pretty much like the same issue as bug 1753339. We'll hold on to this one for now and check back when that one is fixed to make sure this really is just a variant demonstration and not a separate bug.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:mak, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[Alesandro Ortiz]

Per comment https://bugzilla.mozilla.org/show_bug.cgi?id=1753339#c22, this still repros in 112.0.1 Stable (Build ID 20230414125621) but no longer repros in 114.0a1 Nightly (Build ID 20230421030443). Probably fixed as part of bug 1826622.

Can the team make sure this makes it into Stable as a security fix, along with any other relevant processes (such as marking this as fixed)?

Comment 7

[Andrew McCreight [:mccr8]]

(In reply to Alesandro Ortiz from comment #5)

Per comment https://bugzilla.mozilla.org/show_bug.cgi?id=1753339#c22, this still repros in 112.0.1 Stable (Build ID 20230414125621) but no longer repros in 114.0a1 Nightly (Build ID 20230421030443). Probably fixed as part of bug 1826622.

Thanks for confirming.

Can the team make sure this makes it into Stable as a security fix, along with any other relevant processes (such as marking this as fixed)?

Yeah, that looks like it has already been uplifted to 113. 112 was released last week, so the patch came too late for that.

Comment 8

[Daniel Veditz [:dveditz]]

Although the underlying flaw turned out to be fixable at the same spot, in theory an autofill dropdown created by chrome-privileged code might have had different behavior than HTML datalist or select elements created in a web content context. It's better to make this set of testcases "depend on" the patched bug and have this bug marked fixed and independently verified.

Comment 9

[Tyson Smith [:tsmith]]

Attachment: advisory.txt

Comment 10

[Ciprian Georgiu, Desktop QA]

I have reproduced this issue on Win 10 x64, with an affected Nightly build from (20220202214623).

The scenarios mentioned in comment 0, are not reproducing anymore on the latest builds, Nightly 114.0a1, RC 113.0 and ESR 102.11.0. Tested with Win 10 x64.