Closed Bug 1789348 Opened 3 years ago Closed 3 years ago

bypass - toast notification fullscreen not shown lead to spoofing

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 109+ fixed
firefox108 + fixed

People

(Reporter: sas.kunz, Assigned: edgar)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-esr102.7-])

Attachments

(2 files)

pocnew - Copy.html
1.47 KB, text/html
Details
bandicam 2022-09-06 11-52-45-197.mp4
1.53 MB, video/mp4
Details
Attached file pocnew - Copy.html

hello i found vulnerabilty when

  1. open pocnew -Copy.html
  2. wait until it appears : "Double Click Here"
  3. Do Double Click / multiple click on ""Double Click Here"" until fullscreen. toast notification fullscreen not shown
Flags: sec-bounty?

hello i found a vulnerability where i can bypass toast notification full screen lead to spoofing (toas notification full screen not shown)

1 .open pocnew -Copy.html
2. wait until it appears : "Double Click Here"
3. Do Double Click / multiple click on ""Double Click Here"" until fullscreen. toast notification fullscreen not shown

i attached the video poc

Mozilla Firefox version : 104.0.1 (64-bit)

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core

Edgar, could you take a look? Thanks.

Flags: needinfo?(echen)
Keywords: csectype-spoof

We've seen this bypass the toast on Windows sometimes, and sometimes not (and not on Mac). Plus, it's so busy with the testcase when would you get believable "fake browser" content loaded? Still wrong, if we can fix it.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low

I tried on Linux, sometimes the toast shows with massive delay, especially when there are a lot of iframe has been appended, but it still shows eventually. Maybe there are some room to optimize, but the test is so busy, not sure how much we could do.

Severity: -- → S3
Flags: needinfo?(echen)

I think bug 1795139 would also help this.

Assignee: nobody → echen
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Edgar: We shouldn't make security bugs a duplicate of a more general fix, we should mark them as "depends on" so they get tested as security bugs after the fix, and an advisory issued if appropriate.

Especially true when tracking bug bounty submissions.

Depends on: CVE-2022-46877
No longer duplicate of bug: CVE-2022-46877
Resolution: DUPLICATE → FIXED
Flags: sec-bounty? → sec-bounty+
Group: dom-core-security → core-security-release
status-firefox108: --- → fixed
status-firefox-esr102: --- → affected

Did we want to uplift bug 1795139 to ESR102? It does graft cleanly, but a sec-low rating also doesn't make it super high priority IMO.

Flags: needinfo?(echen)

This probably worth to uplift to ESR, though this is a sec-low, but it also help other sec bug in some way, like bug 1794622.

Flags: needinfo?(echen)
status-firefox-esr102: affectedfixed
tracking-firefox108: --- → +
tracking-firefox-esr102: --- → 109+
Target Milestone: --- → 108 Branch

Advisory for 102.7 ESR uplift will also go in 1795139 and reuse the advisory Tom R. wrote there

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-esr102.7-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: