Obscuring the Full-Screen notification in Firefox Using maximized external application window (e.g. via mailto:)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: fazim.pentester, Assigned: sefeng)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: reporter argues for sec-high [reporter-external] [client-bounty-form] [verif?][adv-main115+][adv-esr102.13+])
Attachments
(6 files)
13.71 KB,
application/vnd.rar
|
Details | |
13.69 KB,
application/x-zip-compressed
|
Details | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
14.49 KB,
patch
|
dmeehan
:
approval-mozilla-esr102+
|
Details | Diff | Splinter Review |
213 bytes,
text/plain
|
Details | |
5.74 KB,
patch
|
dmeehan
:
approval-mozilla-esr102+
|
Details | Diff | Splinter Review |
In Firefox, an Attacker Can Conceal Fullscreen Notification.
When the victim clicks the button, the following proof-of-concept (POC) triggers the launch of User default mail application using the MailTo URI and Fullscreen simultaneously. This obscures the full-screen notification and loads a spoofed page in the background.
I have also tested the proof of concept on Chromium. The notification is displayed above the mail application, indicating to the user that it is in full-screen mode.
Steps to Reproduce:
- Download and extract the file poc.rar to a folder
- Open poc.html in a Firefox browser to Begin testing.
Video Demonstration: https://youtu.be/zlM3iqqzxzo (YouTube Unlisted)
Reporter | ||
Comment 1•1 year ago
|
||
This report is similar to the one I recently submitted regarding a Fenix bug on Android (https://bugzilla.mozilla.org/show_bug.cgi?id=1816007). This is a similar method which can be utilized in Firefox Desktop via the mailto URI.
The latest Firefox Nightly version (Version 111.0a1 (2023-02-11) (64-bit)) was tested and it was found that a prompt feature is not present in the desktop Firefox Nightly version compared to the Nightly build of Android Fenix, which provides a prompt for external intents on Android (this offers an extra layer of security, even if an attacker could later hide the fullscreen notification).
Solution: The recommended approach to address this issue on Firefox desktop is to give precedence to the fullscreen notification over other external applications, similar to how Chrome handles it. Alternatively, blocking external calls when the fullscreen call is made simultaneously is another viable solution.
Reporter | ||
Comment 2•1 year ago
|
||
I believe that Google Chrome has not completely addressed this this issue, as the full-screen notification appearing on top of the mail application can lead to confusion for the user. A more straightforward solution would be to block the "mailto" URI when it is initiated with the full-screen function on Firefox Browsers.
Comment 3•1 year ago
|
||
Could you please submit your test cases as zip files instead of rar files? Zip files are easier to open. Thanks.
Comment 5•1 year ago
|
||
Maybe we could consider reminding user that the page is in fullscreen mode when a fullscreen page backs to foreground, but not sure if user would feel annoyed (we could make the timer of hiding notification shorter for this case though). Or we could just exit fullscreen mode while the fullscreen page tries to handle a external protocol, like what we do for window.open
.
Reporter | ||
Comment 6•1 year ago
|
||
(In reply to Edgar Chen [:edgar] from comment #5)
Maybe we could consider reminding user that the page is in fullscreen mode when a fullscreen page backs to foreground, but not sure if user would feel annoyed (we could make the timer of hiding notification shorter for this case though). Or we could just exit fullscreen mode while the fullscreen page tries to handle a external protocol, like what we do for
window.open
.
Exiting fullscreen mode while the fullscreen page tries to handle an external protocol (similar to window.open) would be a better approach.
Comment 7•1 year ago
|
||
Should we exit full screen anytime the user switches focus outside of Firefox? Maybe they would get annoyed by that. Certainly, though, we should exit fullscreen if it's Firefox, rather than the user, giving focus to another app.
Comment 8•1 year ago
|
||
(In reply to Edgar Chen [:edgar] from comment #5)
Maybe we could consider reminding user that the page is in fullscreen mode when a fullscreen page backs to foreground, but not sure if user would feel annoyed (we could make the timer of hiding notification shorter for this case though).
If we want to do this, we probably should make it less annoying, there are some discussions in bug 1196588.
(In reply to Daniel Veditz [:dveditz] from comment #7)
Should we exit full screen anytime the user switches focus outside of Firefox? Maybe they would get annoyed by that. Certainly, though, we should exit fullscreen if it's Firefox, rather than the user, giving focus to another app.
I think we don't want to leave fullscreen every time the window loses focus, which could be annoying in certain cases, e.g. for dual screen users (bug 724554). However, if Firefox gives focus to another window/application, we should exit fullscreen.
Reporter | ||
Comment 9•1 year ago
|
||
I believe that this issue is similar, and even easier to exploit, than the issue mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1746448 . Can you explain why my issue was classified as "sec-moderate" while the similar issue was considered a "sec-high" bug?
Reporter | ||
Comment 10•1 year ago
|
||
This vulnerability not only affects Windows, but also other operating systems that have a mail application. I have tested this on Ubuntu, which uses both Mozilla Firefox and Thunderbird mail application. When the URI is launched, it overlaps the fullscreen notification using both of these applications.
Note: I am using a VirtualBox Ubuntu, therefore the response for launching the mail application may vary depending on the performance or device.
<a href="mailto:notsecurity@notmozilla.com" onclick="document.documentElement.requestFullscreen();">Send Email to Security Team</a>
Video Demonstration: https://youtu.be/vpXWiTCPs1I (YouTube Unlisted)
Comment 11•1 year ago
|
||
could be annoying in certain cases, e.g. for dual screen users
Good point. Both my kids spend most of their on-line time in that configuration, with a full-screen video playing in one monitor while they do whatever else they are doing in the other monitor.
Can you explain why my issue was classified as "sec-moderate" while the similar issue was considered a "sec-high" bug?
spoofing is borderline high at best to start with, and whether this POC works as well as it does in your movie is at the mercy of the remembered size of mail window. In bug 1746448 he was in control of the size of the Firefox-generated popup. This attack would likely work for users with small screens, but it didn't work for me. With a wide monitor it's extremely uncomfortable to write mail with 50cm lines of text. My more-comfortably sized mail window didn't cover up the toast. And in your comment 10 video the toast is clearly visible before the mail window pops up, though I acknowledge that a lot of people could miss it, and that you might be able to tighten up the timing. We'll discuss it when the bounty committee looks at the bug.
Reporter | ||
Comment 12•1 year ago
|
||
Yes, you are right. 'It works at the mercy of the remembered size of the mail window'.
It will impact users mainly on smaller screen sizes and have an impact on medium-sized screens where users are comfortable typing mail in full-screen, and less on higher resolutions (It may affect the user if their mail application is set in full-screen or put in the center with a comfortable size).
Updated•1 year ago
|
Updated•1 year ago
|
Comment 14•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #7)
Certainly, though, we should exit fullscreen if it's Firefox, rather than the user, giving focus to another app.
I expect we can't determine this - we just hand the protocol (or the file) to the OS, and we don't know if that's going to open another app or not, if it's going to be on the same display in the case of multi-display/screen setups, etc. etc.
As I noted in one of the dupes, AFAICT no browser does anything about this - my experience is different from comment 0, and the exploit works just as well against chromium or edge.
Reporter | ||
Comment 15•1 year ago
|
||
friendly ping
Comment 16•1 year ago
|
||
Edgar, could you look into fixing this? It is a few months old now. Thanks.
Comment 17•1 year ago
•
|
||
(In reply to Andrew McCreight [:mccr8] from comment #16)
Edgar, could you look into fixing this? It is a few months old now. Thanks.
Sean will give it a try here. Some ramp-up time is expected and we appreciate people's patience while we're trying to make progress :)
Assignee | ||
Comment 18•1 year ago
|
||
It's a security risk such that the maximized external program can obscure
the fullscreen notification and the malicious site can use this trick
to load a spoofed page in the background without user notices it.
This patch minimized the risk by always exit the fullscreen mode when
an external protocol is triggered.
Updated•1 year ago
|
Updated•1 year ago
|
Reporter | ||
Comment 19•1 year ago
|
||
Hi team, do we have any update on "reporter argues for sec-high", My rationale for raising the security level from "medium" to "high" for the given issue is that the most commonly used resolution is 1920x1080 . Users with this resolution usually utilize the mail application in fullscreen mode, and the exploit functions well with this resolution. While we can also consider other resolutions (> 1920x1080, may affect the user if their mail application is set in full-screen or put in the center with a comfortable size), they are not as widely used and don't cover the majority of the user base.
Updated•1 year ago
|
Comment 20•1 year ago
|
||
Landed: https://hg.mozilla.org/integration/autoland/rev/6fa00ccfe7e070f75412debed34172c79506e57b
Backed out for build bustages in LocationBase.cpp:
https://hg.mozilla.org/integration/autoland/rev/2ac2c1885fd7c911b0f9f4efac106ea893717546
Push with failures
Failure log
[task 2023-05-17T16:52:24.534Z] 16:52:24 ERROR - /builds/worker/checkouts/gecko/dom/base/LocationBase.cpp:176:5: error: You must immediately return after calling this function
[task 2023-05-17T16:52:24.535Z] 16:52:24 INFO - aRv.Throw(rv);
[task 2023-05-17T16:52:24.535Z] 16:52:24 INFO - ^
Comment 21•1 year ago
|
||
Always exit fullscreen when triggering on external protocol r=edgar
https://hg.mozilla.org/integration/autoland/rev/cce919d19bee4e65aeaa91187e2d2c9870e82b50
https://hg.mozilla.org/mozilla-central/rev/cce919d19bee
Updated•1 year ago
|
Comment 22•1 year ago
|
||
The patch landed in nightly and beta is affected.
:sefeng, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox114
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Assignee | ||
Comment 24•1 year ago
|
||
ESR Approval Request Comment
[Feature/Bug causing the regression]: Triggering an external protocol may cause the fullscreen notification obscured.
[User impact if declined]: Users may under risk if they visit the malicious website.
[Is this code covered by automated tests?]: YES
[Has the fix been verified in Nightly?]: YES
[Needs manual test from QE? If yes, steps to reproduce]: YES
For me, this was a serious issue on Windows, so I'd like QE to make sure Windows is convered.
- Download and extract the
poc.zip
in this bug - Load
poc.html
in Firefox - Click
Send Email to Security Team
- The page will try to enter fullscreen bug, but it should exit from it automatically.
[Why is the change risky/not risky?]: Exiting fullscreen for external protocol is not a risky change.
[String changes made/needed]: No
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Updated•1 year ago
|
Comment 25•1 year ago
|
||
I've reproduced the bug using STR from comment 24, on an affected Nightly build (2023-02-11) with Win 11 x64.
The issue is not reproducing anymore on latest Beta 115.0b8 with Win 11 x64.
Comment 26•1 year ago
|
||
Comment on attachment 9339608 [details] [diff] [review]
0001-Bug-1816287-Always-exit-fullscreen-when-triggering-o.patch
Approved for 102.13esr.
Comment 27•1 year ago
|
||
uplift |
Updated•1 year ago
|
Comment 28•1 year ago
|
||
Updated•1 year ago
|
Comment 29•1 year ago
|
||
Sean, there was some issues with the new test on ESR102 where it looks like the rebase didn't go smoothly. We pushed a follow-up to address a couple obvious problems which at least got the test running, but it was still permanently timing out and we ended up skipping it for now.
https://hg.mozilla.org/releases/mozilla-esr102/rev/da917366ac91
This is what the failure screenshots looked like in general:
https://firefoxci.taskcluster-artifacts.net/TxFu6KM8Som83ASa2ZYoqQ/0/public/test_info/mozilla-test-fail-screenshot_t60ciog_.png
Not sure if you had any thoughts about what might be wrong to see if we can get the test re-enabled or not.
Updated•1 year ago
|
Assignee | ||
Comment 30•1 year ago
|
||
That looks like the mail uri handler was not working properly, I'll see if I can fix it.
Comment 31•1 year ago
|
||
FWIW we've checked this with ESR 102.13.0-build1 on Win 11 x64 as well, and the issue is still reproducible (but this seems to be caused by the problems mentioned in comment 29 and comment 30).
Assignee | ||
Comment 32•1 year ago
|
||
ESR Approval Request Comment
[Feature/Bug causing the regression]: Our fullscreen behaviour works differently in ESR than in Nightly, so the original fix only fixes Nightly but not ESR. This patch cherry-picks an existing change in Nightly that brings the fullscreen behaviour on par.
[User impact if declined]: Users may still under risk if they visit the malicious website that tries to use fullscreen to attack them.
[Needs manual test from QE? If yes, steps to reproduce]: If possible, I'd like another verification from QE. Same steps as before:
- Download and extract the poc.zip in this bug
- Load poc.html in Firefox
- Click 'Send Email to Security Team'
- The page will try to enter fullscreen, but it should exit from it automatically.
[Why is the change risky/not risky?]: The patch has been landed in Nightly for a long time.
[String changes made/needed]: None
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Comment 33•1 year ago
|
||
Comment on attachment 9341768 [details] [diff] [review]
store-pending-fullscreen-for-element-requestfullscreen.patch
Approved for 102.13esr.
Comment 34•1 year ago
|
||
uplift |
Comment 35•1 year ago
|
||
This issue is verified as fixed on 102.13esr-build2 with Win 10 x64.
Updated•1 year ago
|
Updated•11 months ago
|
Updated•8 months ago
|
Updated•19 days ago
|
Description
•