Closed Bug 1821155 Opened 1 year ago Closed 1 year ago

keyboard layout hides fullscreen notification on landscape mode on firefoxfocus, leads to spoof

Categories

(Focus :: General, defect, P2)

Tracking

(firefox111 wontfix, firefox112 fixed, firefox113 fixed)

RESOLVED FIXED
113 Branch
Tracking Status
firefox111 --- wontfix
firefox112 --- fixed
firefox113 --- fixed

People

(Reporter: sas.kunz, Assigned: petru)

References

Details

(Keywords: csectype-spoof, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main112+])

Attachments

(7 files, 1 obsolete file)

I found a vulnerability in firefox focus (landscape mode) when click on the text box it opens keyboard layout when running fullscreen, keyboard layout covers fullscreen notification.

steps to generate

  1. Go to http://103.186.0.20/fullscreenfocus.html
  2. Click on TextBox (hide full screen notification)
Flags: sec-bounty?
Attached file firefoxfocus.html
Attached image googlebar3.jpeg

update step to produces:

  1. Go to http://103.186.0.20/fullscreenfocus.html (open on landscape mode)
  2. Click on TextBox (hide full screen notification)

I tested on Samsung M31 (Android 10)

Group: firefox-core-security → mobile-core-security
Status: UNCONFIRMED → NEW
Component: Security → General
Ever confirmed: true
Product: Firefox → Focus
Severity: -- → S2
Priority: -- → P2

i updated the poc please see the new poc video. notification full screen closed by telegram notification (still on landscape mode)

Attached video nightlypoc.mp4

its also affected on nightly

Petru, based on your similar work for bug 1816059, do you know if a Toast would appear over the system keyboard? I'm wondering if we can just use that same fix here in Focus.

Flags: needinfo?(petru.lingurar)

Yes, a Toast does not know what being shown on the screen, it will be shown at a specific location on top of anything that's showing so bug 1816059 would fix this also.

Depends on: CVE-2023-29534
Flags: needinfo?(petru.lingurar)

@Hafiizh Can you confirm that the current Nightly avoids this issue?

Flags: needinfo?(sas.kunz)

Petru its fixed

Flags: needinfo?(sas.kunz)

Thank you for the confirmation!

Assignee: nobody → petru.lingurar
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

This fix can ride the trains in 112. We don't need to uplift to a 111 dot release if the bug isn't being actively exploited.

Group: mobile-core-security → core-security-release
Target Milestone: --- → 113 Branch

As we expected, this did turn out to be fixed by the redesigned mechanism in bug 1816059 making this essentially a dupe for purposes of the bug bounty.

Flags: sec-bounty? → sec-bounty-

hey daniel your development team decided to use toast or sneakbar 12 days ago on bug https://bugzilla.mozilla.org/show_bug.cgi?id=1816059 (on comment 13 (petru)) while this bug 1821155 opened the day before Your team decided to use a toast or sneakbar and it hasn't been fixed yet and your team went to https://bugzilla.mozilla.org/show_bug.cgi?id=1822140 to decide to use a toast instead of a sneakbar. I also didn't know you would use toast . don't you say I redesigned it for bug bounty reasons .sigh

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main112+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9327540 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.