1816287 - (CVE-2023-37207) Obscuring the Full-Screen notification in Firefox Using maximized external application window (e.g. via mailto:)

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Shaheen Fazim]

Attachment: poc.rar

In Firefox, an Attacker Can Conceal Fullscreen Notification.

When the victim clicks the button, the following proof-of-concept (POC) triggers the launch of User default mail application using the MailTo URI and Fullscreen simultaneously. This obscures the full-screen notification and loads a spoofed page in the background.

I have also tested the proof of concept on Chromium. The notification is displayed above the mail application, indicating to the user that it is in full-screen mode.

Steps to Reproduce:

1. Download and extract the file poc.rar to a folder
2. Open poc.html in a Firefox browser to Begin testing.

Video Demonstration: https://youtu.be/zlM3iqqzxzo (YouTube Unlisted)

Comment 1

[Shaheen Fazim]

This report is similar to the one I recently submitted regarding a Fenix bug on Android (https://bugzilla.mozilla.org/show_bug.cgi?id=1816007). This is a similar method which can be utilized in Firefox Desktop via the mailto URI.

The latest Firefox Nightly version (Version 111.0a1 (2023-02-11) (64-bit)) was tested and it was found that a prompt feature is not present in the desktop Firefox Nightly version compared to the Nightly build of Android Fenix, which provides a prompt for external intents on Android (this offers an extra layer of security, even if an attacker could later hide the fullscreen notification).

Solution: The recommended approach to address this issue on Firefox desktop is to give precedence to the fullscreen notification over other external applications, similar to how Chrome handles it. Alternatively, blocking external calls when the fullscreen call is made simultaneously is another viable solution.

Comment 2

[Shaheen Fazim]

I believe that Google Chrome has not completely addressed this this issue, as the full-screen notification appearing on top of the mail application can lead to confusion for the user. A more straightforward solution would be to block the "mailto" URI when it is initiated with the full-screen function on Firefox Browsers.

Comment 3

[Andrew McCreight [:mccr8]]

Could you please submit your test cases as zip files instead of rar files? Zip files are easier to open. Thanks.

Comment 4

[Shaheen Fazim]

Attachment: poc.zip

Sure :)

Comment 5

[Edgar Chen [:edgar]]

Maybe we could consider reminding user that the page is in fullscreen mode when a fullscreen page backs to foreground, but not sure if user would feel annoyed (we could make the timer of hiding notification shorter for this case though). Or we could just exit fullscreen mode while the fullscreen page tries to handle a external protocol, like what we do for window.open.

Comment 6

[Shaheen Fazim]

(In reply to Edgar Chen [:edgar] from comment #5)

Maybe we could consider reminding user that the page is in fullscreen mode when a fullscreen page backs to foreground, but not sure if user would feel annoyed (we could make the timer of hiding notification shorter for this case though). Or we could just exit fullscreen mode while the fullscreen page tries to handle a external protocol, like what we do for window.open.

Exiting fullscreen mode while the fullscreen page tries to handle an external protocol (similar to window.open) would be a better approach.

Comment 7

[Daniel Veditz [:dveditz]]

Should we exit full screen anytime the user switches focus outside of Firefox? Maybe they would get annoyed by that. Certainly, though, we should exit fullscreen if it's Firefox, rather than the user, giving focus to another app.

Comment 8

[Edgar Chen [:edgar]]

(In reply to Edgar Chen [:edgar] from comment #5)

Maybe we could consider reminding user that the page is in fullscreen mode when a fullscreen page backs to foreground, but not sure if user would feel annoyed (we could make the timer of hiding notification shorter for this case though).

If we want to do this, we probably should make it less annoying, there are some discussions in bug 1196588.

(In reply to Daniel Veditz [:dveditz] from comment #7)

Should we exit full screen anytime the user switches focus outside of Firefox? Maybe they would get annoyed by that. Certainly, though, we should exit fullscreen if it's Firefox, rather than the user, giving focus to another app.

I think we don't want to leave fullscreen every time the window loses focus, which could be annoying in certain cases, e.g. for dual screen users (bug 724554). However, if Firefox gives focus to another window/application, we should exit fullscreen.

Comment 9

[Shaheen Fazim]

I believe that this issue is similar, and even easier to exploit, than the issue mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1746448 . Can you explain why my issue was classified as "sec-moderate" while the similar issue was considered a "sec-high" bug?

Comment 10

[Shaheen Fazim]

This vulnerability not only affects Windows, but also other operating systems that have a mail application. I have tested this on Ubuntu, which uses both Mozilla Firefox and Thunderbird mail application. When the URI is launched, it overlaps the fullscreen notification using both of these applications.

Note: I am using a VirtualBox Ubuntu, therefore the response for launching the mail application may vary depending on the performance or device.

<a href="mailto:notsecurity@notmozilla.com" onclick="document.documentElement.requestFullscreen();">Send Email to Security Team</a>

Video Demonstration: https://youtu.be/vpXWiTCPs1I (YouTube Unlisted)

Comment 11

[Daniel Veditz [:dveditz]]

could be annoying in certain cases, e.g. for dual screen users

Good point. Both my kids spend most of their on-line time in that configuration, with a full-screen video playing in one monitor while they do whatever else they are doing in the other monitor.

Can you explain why my issue was classified as "sec-moderate" while the similar issue was considered a "sec-high" bug?

spoofing is borderline high at best to start with, and whether this POC works as well as it does in your movie is at the mercy of the remembered size of mail window. In bug 1746448 he was in control of the size of the Firefox-generated popup. This attack would likely work for users with small screens, but it didn't work for me. With a wide monitor it's extremely uncomfortable to write mail with 50cm lines of text. My more-comfortably sized mail window didn't cover up the toast. And in your comment 10 video the toast is clearly visible before the mail window pops up, though I acknowledge that a lot of people could miss it, and that you might be able to tighten up the timing. We'll discuss it when the bounty committee looks at the bug.

Comment 12

[Shaheen Fazim]

Yes, you are right. 'It works at the mercy of the remembered size of the mail window'.

It will impact users mainly on smaller screen sizes and have an impact on medium-sized screens where users are comfortable typing mail in full-screen, and less on higher resolutions (It may affect the user if their mail application is set in full-screen or put in the center with a comfortable size).

Comment 14

[:Gijs (he/him)]

(In reply to Daniel Veditz [:dveditz] from comment #7)

Certainly, though, we should exit fullscreen if it's Firefox, rather than the user, giving focus to another app.

I expect we can't determine this - we just hand the protocol (or the file) to the OS, and we don't know if that's going to open another app or not, if it's going to be on the same display in the case of multi-display/screen setups, etc. etc.

As I noted in one of the dupes, AFAICT no browser does anything about this - my experience is different from comment 0, and the exploit works just as well against chromium or edge.

Comment 15

[Shaheen Fazim]

friendly ping

Comment 16

[Andrew McCreight [:mccr8]]

Edgar, could you look into fixing this? It is a few months old now. Thanks.

Comment 17

[Hsin-Yi Tsai (she/her) [:hsinyi]]

(In reply to Andrew McCreight [:mccr8] from comment #16)

Edgar, could you look into fixing this? It is a few months old now. Thanks.

Sean will give it a try here. Some ramp-up time is expected and we appreciate people's patience while we're trying to make progress :)

Comment 18

[Sean Feng [:sefeng]]

Attachment: Bug 1816287 - Always exit fullscreen when triggering on external protocol r=edgar

It's a security risk such that the maximized external program can obscure
the fullscreen notification and the malicious site can use this trick
to load a spoofed page in the background without user notices it.

This patch minimized the risk by always exit the fullscreen mode when
an external protocol is triggered.

Comment 19

[Shaheen Fazim]

Hi team, do we have any update on "reporter argues for sec-high", My rationale for raising the security level from "medium" to "high" for the given issue is that the most commonly used resolution is 1920x1080 . Users with this resolution usually utilize the mail application in fullscreen mode, and the exploit functions well with this resolution. While we can also consider other resolutions (> 1920x1080, may affect the user if their mail application is set in full-screen or put in the center with a comfortable size), they are not as widely used and don't cover the majority of the user base.

Comment 20

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Landed: https://hg.mozilla.org/integration/autoland/rev/6fa00ccfe7e070f75412debed34172c79506e57b

Backed out for build bustages in LocationBase.cpp:
https://hg.mozilla.org/integration/autoland/rev/2ac2c1885fd7c911b0f9f4efac106ea893717546

Push with failures
Failure log

[task 2023-05-17T16:52:24.534Z] 16:52:24    ERROR -  /builds/worker/checkouts/gecko/dom/base/LocationBase.cpp:176:5: error: You must immediately return after calling this function
[task 2023-05-17T16:52:24.535Z] 16:52:24     INFO -      aRv.Throw(rv);
[task 2023-05-17T16:52:24.535Z] 16:52:24     INFO -      ^

Comment 21

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Always exit fullscreen when triggering on external protocol r=edgar
https://hg.mozilla.org/integration/autoland/rev/cce919d19bee4e65aeaa91187e2d2c9870e82b50
https://hg.mozilla.org/mozilla-central/rev/cce919d19bee

Comment 22

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:sefeng, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox114 to wontfix.

For more information, please visit BugBot documentation.

Comment 24

[Sean Feng [:sefeng]]

Attachment: 0001-Bug-1816287-Always-exit-fullscreen-when-triggering-o.patch

ESR Approval Request Comment
[Feature/Bug causing the regression]: Triggering an external protocol may cause the fullscreen notification obscured.
[User impact if declined]: Users may under risk if they visit the malicious website.
[Is this code covered by automated tests?]: YES
[Has the fix been verified in Nightly?]: YES
[Needs manual test from QE? If yes, steps to reproduce]: YES

For me, this was a serious issue on Windows, so I'd like QE to make sure Windows is convered.

1. Download and extract the poc.zip in this bug
2. Load poc.html in Firefox
3. Click Send Email to Security Team
4. The page will try to enter fullscreen bug, but it should exit from it automatically.

[Why is the change risky/not risky?]: Exiting fullscreen for external protocol is not a risky change.
[String changes made/needed]: No

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment 25

[Ciprian Georgiu, Desktop QA]

I've reproduced the bug using STR from comment 24, on an affected Nightly build (2023-02-11) with Win 11 x64.

The issue is not reproducing anymore on latest Beta 115.0b8 with Win 11 x64.

Comment 26

[Donal Meehan [:dmeehan]]

Comment on attachment 9339608 [details] [diff] [review]
0001-Bug-1816287-Always-exit-fullscreen-when-triggering-o.patch

Approved for 102.13esr.

Comment 27

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-esr102/rev/1a652c68ff2a

Comment 28

[Jason Kratzer [:jkratzer]]

Attachment: advisory.txt

Comment 29

[Ryan VanderMeulen [:RyanVM]]

Sean, there was some issues with the new test on ESR102 where it looks like the rebase didn't go smoothly. We pushed a follow-up to address a couple obvious problems which at least got the test running, but it was still permanently timing out and we ended up skipping it for now.
https://hg.mozilla.org/releases/mozilla-esr102/rev/da917366ac91

This is what the failure screenshots looked like in general:
https://firefoxci.taskcluster-artifacts.net/TxFu6KM8Som83ASa2ZYoqQ/0/public/test_info/mozilla-test-fail-screenshot_t60ciog_.png

Not sure if you had any thoughts about what might be wrong to see if we can get the test re-enabled or not.

Comment 30

[Sean Feng [:sefeng]]

That looks like the mail uri handler was not working properly, I'll see if I can fix it.

Comment 31

[Ciprian Georgiu, Desktop QA]

FWIW we've checked this with ESR 102.13.0-build1 on Win 11 x64 as well, and the issue is still reproducible (but this seems to be caused by the problems mentioned in comment 29 and comment 30).

Comment 32

[Sean Feng [:sefeng]]

Attachment: store-pending-fullscreen-for-element-requestfullscreen.patch

ESR Approval Request Comment
[Feature/Bug causing the regression]: Our fullscreen behaviour works differently in ESR than in Nightly, so the original fix only fixes Nightly but not ESR. This patch cherry-picks an existing change in Nightly that brings the fullscreen behaviour on par.

[User impact if declined]: Users may still under risk if they visit the malicious website that tries to use fullscreen to attack them.

[Needs manual test from QE? If yes, steps to reproduce]: If possible, I'd like another verification from QE. Same steps as before:

1. Download and extract the poc.zip in this bug
2. Load poc.html in Firefox
3. Click 'Send Email to Security Team'
4. The page will try to enter fullscreen, but it should exit from it automatically.

[Why is the change risky/not risky?]: The patch has been landed in Nightly for a long time.
[String changes made/needed]: None

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment 33

[Donal Meehan [:dmeehan]]

Comment on attachment 9341768 [details] [diff] [review]
store-pending-fullscreen-for-element-requestfullscreen.patch

Approved for 102.13esr.

Comment 34

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-esr102/rev/3ba84f15ffa6092b5587de58f09dbc4240bcf8e2

Comment 35

[Ciprian Georgiu, Desktop QA]

This issue is verified as fixed on 102.13esr-build2 with Win 10 x64.