Closed Bug 1800203 (CVE-2023-25743) Opened 2 years ago Closed 2 years ago

fullscreen notification not shown when fullscreen lead to spoof (firefox focus - android)

Categories

(Focus :: General, defect, P1)

Product:
Focus
Component:
General
Type:
defect

Tracking

(firefox109- wontfix, firefox110+ verified, firefox111+ verified)

Status:
VERIFIED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox109 - wontfix
firefox110 + verified
firefox111 + verified

People

(Reporter: sas.kunz, Assigned: vdreghici)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main110+] )

Attachments

(9 files)

pocfullscreen.mp4
755.77 KB, video/mp4
Details
poc2new.html
2.40 KB, text/html
Details
google1.jpeg
23.82 KB, image/jpeg
Details
Show_snackbar_when_the_browser_enters_fullscreen_.patch
3.27 KB, patch
petru
: review+
tjr
: sec-approval+
Details | Diff | Splinter Review
show_fullscreen_banner.mp4
380.23 KB, video/mp4
Details
Bug_1800203__Add_fullscreen_snackbar_for_Focus_Beta.patch
3.12 KB, patch
petru
: review+
Details | Diff | Splinter Review
Bug_1800203__Add_fullscreen_snackbar_for_Focus_Release.patch
3.12 KB, patch
petru
: review+
Details | Diff | Splinter Review
Screenshot_2023-02-02-16-52-34-13_11753d9bf2a67eec1c984b8ccb4d0671.jpg
705.41 KB, image/jpeg
Details
advisory.txt
271 bytes, text/plain
Details
Attached video pocfullscreen.mp4

I found a vulnerability in firefox focus- android when the web page in fullscreen state the fullscreen notification not shown which can lead to spoof.

steps to produce

1.open http://103.186.0.20/poc2new.html or open poc2new.html
2. Click the open to google button
3 the fake web page is opened (fullscreen)

OS: Android 10 (Samsung M31)
Firefox Focus version: 106.1.0 (Build #362840108)
106.0-20221010181815)
AC :106.0.5, 5f06485fc3
AS:94.2.1

i attached the poc video file.
thank you

Flags: sec-bounty?
Attached file poc2new.html
Attached image google1.jpeg
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Focus
Version: unspecified → 5.2
Component: Security: Android → General

Chris: does this affect Fenix also? If not what's different about the two?

Flags: needinfo?(cpeterson)
Keywords: csectype-spoof, sec-high

This in not affect on fenix. On firefox focus when the fullscreen state the toast not shown at all

The Fenix bug is bug 1798798.

Severity: -- → S2
Flags: needinfo?(cpeterson)
Priority: -- → P2
See Also: → CVE-2023-25748
Assignee: nobody → vlad.dreghici

Added recording

Comment on attachment 9312992 [details] [diff] [review]
Show_snackbar_when_the_browser_enters_fullscreen_.patch

Very close to what we do on Fenix. LGTM.

Attachment #9312992 - Flags: review+

Comment on attachment 9312992 [details] [diff] [review]
Show_snackbar_when_the_browser_enters_fullscreen_.patch

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: An exploit cannot be constructed.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: No branches
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: It would not be hard.
  • How likely is this patch to cause regressions; how much testing does it need?: Not likely
  • Is Android affected?: No
Attachment #9312992 - Flags: sec-approval?

Comment on attachment 9312992 [details] [diff] [review]
Show_snackbar_when_the_browser_enters_fullscreen_.patch

Approved to land and request uplift

Attachment #9312992 - Flags: sec-approval? → sec-approval+

Regarding the form and the question about uplifting the change I think it is a good candidate with the patch being small and solving an important security issue.

Attachment #9313988 - Flags: review?(petru.lingurar)

Comment on attachment 9313987 [details] [diff] [review]
Bug_1800203__Add_fullscreen_snackbar_for_Focus_Beta.patch

Same patch as on Nightly. Looks good, thanks!

Attachment #9313987 - Flags: review+

Comment on attachment 9313988 [details] [diff] [review]
Bug_1800203__Add_fullscreen_snackbar_for_Focus_Release.patch

Same patch as on Nightly. Looks good, thanks!

Attachment #9313988 - Flags: review?(petru.lingurar) → review+

Comment on attachment 9313988 [details] [diff] [review]
Bug_1800203__Add_fullscreen_snackbar_for_Focus_Release.patch

Added patches for beta and release

Flags: needinfo?(tom)
Flags: needinfo?(cpeterson)

[Tracking Requested - why for this release]:

tracking-firefox109: --- → ?
tracking-firefox110: --- → ?

Tested and added patches for beta and release, requesting approval for uplift.

Comment on attachment 9313988 [details] [diff] [review]
Bug_1800203__Add_fullscreen_snackbar_for_Focus_Release.patch

Don't need me anymore; Relman will review the uplift request

Flags: needinfo?(tom)
Status: UNCONFIRMED → ASSIGNED
status-firefox109: --- → affected
status-firefox110: --- → affected
status-firefox111: --- → affected
Ever confirmed: true
Flags: needinfo?(cpeterson)
Priority: P2 → P1
Version: 5.2 → Trunk

I don't think this warrants shipping out of band to v109, but we should definitely get this uplifted to v110 after it lands on Nightly.

status-firefox109: affectedwontfix
tracking-firefox109: ? → ---
tracking-firefox110: ?+
tracking-firefox111: --- → +

If we're going to fix this in time to uplift to v110 as well, this needs to land ASAP. We're building RCs in less than a week and have only one mobile beta left before that.

Flags: needinfo?(petru.lingurar)
Flags: needinfo?(Vlad.DreghiciPopa)
Flags: needinfo?(petru.lingurar)

Landing the Nightly patch in https://github.com/mozilla-mobile/firefox-android/pull/683.
It's a small change that if QA verifies can probably be uplifted tomorrow.

Landed on main:
https://github.com/mozilla-mobile/firefox-android/commit/0f7deea29065beb4f46443a28e62add9ed9b4551

Group: mobile-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: affectedfixed
Flags: needinfo?(Vlad.DreghiciPopa) → qe-verify+
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

Verified as implemented on the latest Focus Nightly 111.0a1 from 2/2 with the following devices:

  • Google Pixel 6 (Android 13),
  • Lenovo tablet M10 (Android 10),
  • HTC 10 (Android 8),
  • Samsung Galaxy Note 8 (Android 9),
  • Oppo Reno 6 (Android 12), and
  • Oppo Find X3 Lite (Android 11).

Please submit a v110 backport PR so we can include it in today's final beta

Flags: needinfo?(Vlad.DreghiciPopa)

Uplift PR ready: https://github.com/mozilla-mobile/firefox-android/pull/692
Asked CPetereson to approve.

Flags: needinfo?(Vlad.DreghiciPopa)

Approved and landed!

Verified as implemented on the latest Focus Beta 110.0b5 also with the following devices:

  • Google Pixel 6 (android 13),
  • Sony Xperia Z5 Premium (Android 7.1.1),
  • Samsung Galaxy Note 8 (Android 9), and
  • Lenovo tablet M10 (Android 10).
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: sec-bounty? → sec-bounty+
Attached file advisory.txt
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [adv-main110+]
Alias: CVE-2023-25743
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: