Closed Bug 1821576 Opened 2 years ago Closed 2 years ago

safety browsing alert notification hides fullscreen notification on firefoxfocus, leads to spoof

Categories

(Focus :: General, defect)

Product:
Focus
Component:
General
Type:
defect

Tracking

(firefox111 wontfix, firefox112 fixed, firefox113 fixed)

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox111 --- wontfix
firefox112 --- fixed
firefox113 --- fixed

People

(Reporter: sas.kunz, Assigned: petru)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

video_2023-03-10_10-13-41.mp4
2.25 MB, video/mp4
Details
focus.html
3.29 KB, text/html
Details
Screenshot_20230317-230005_Firefox Nightly.jpg
190.92 KB, image/jpeg
Details
advisory.txt
12 bytes, text/plain
Details

I found a vulnerability in firefox android where a safety browsing alert notification can cover fullscreen notifications which can lead to spoofs. i tested after fixed: https://github.com/mozilla-mobile/firefox-android/pull/1133 ( https://bugzilla.mozilla.org/show_bug.cgi?id=1819254 )

steps to produce

1, open http://103.186.0.20/focus.html or firefox.html
2. click on "go to google" button , (when the button clicked it show safety browsing alert it covers the fullscreen notification)

OS: Android 10 (Samsung M31)

i attached the poc video files.
thank you

Flags: sec-bounty?
Attached file focus.html

firefox focus version:
1.0.2310(Build #11)
112.0a1-20230306094520
AS:97.1.0

Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Focus

Thank you!
Would be fixed with the same approach as on bug 1816059.

Status: UNCONFIRMED → NEW
status-firefox111: --- → affected
status-firefox112: --- → affected
status-firefox113: --- → affected
Depends on: CVE-2023-29534
Ever confirmed: true
See Also: → 1822305
See Also: → 1822298

@Hafiizh Can you confirm that the current Nightly avoids this issue?

Flags: needinfo?(sas.kunz)

Petru its fixed

Flags: needinfo?(sas.kunz)

Thank you for the confirmation!

Assignee: nobody → petru.lingurar
Status: NEW → ASSIGNED
status-firefox112: affectedfixed
status-firefox113: affectedfixed
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
status-firefox111: affectedwontfix
Target Milestone: --- → 112 Branch
Target Milestone: 112 Branch → 113 Branch
Group: mobile-core-security → core-security-release

As we expected, this did turn out to be fixed by the redesigned mechanism in bug 1816059 making this essentially a dupe for purposes of the bug bounty.

Flags: sec-bounty? → sec-bounty-

Bounty questions should be directed to security@mozilla.com, thanks.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: