Closed Bug 1821906 Opened 1 year ago Closed 1 year ago

Geolocation permission hide notification fullscreen

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Type:
defect

Tracking

(firefox111 wontfix, firefox112 fixed, firefox113 fixed)

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox111 --- wontfix
firefox112 --- fixed
firefox113 --- fixed

People

(Reporter: sas.kunz, Assigned: petru)

References

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(6 files, 1 obsolete file)

video_2023-03-12_20-21-24.mp4
1.72 MB, video/mp4
Details
geofullscreen2.html
2.54 KB, text/html
Details
google.jpg
22.18 KB, image/jpeg
Details
video_2023-03-13_08-31-16.mp4
1.97 MB, video/mp4
Details
Screenshot_20230317-225623_Firefox Nightly.jpg
128.25 KB, image/jpeg
Details
advisory.txt
12 bytes, text/plain
Details
Attached video video_2023-03-12_20-21-24.mp4 (obsolete) —

I found a vulnerability in firefox nightly (i tested on Samsung M31 ) where a geolocation permission alert notification can cover fullscreen notifications which can lead to spoofs.

step to reproduces:

  1. https://pipabajabakrie.com/upload/geofullscreen.html
  2. click on button "Try it"
Flags: sec-bounty?

new POC:

  1. open https://pipabajabakrie.com/upload/geofullscreen2.html
  2. click on button "Open GOOGLE"
Attached file geofullscreen2.html
Attached image google.jpg
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix
Attachment #9322600 - Attachment is obsolete: true

Thank you!
Important to note that this only affects the scenarios in which the toolbar is placed at the bottom (default).
Would be fixed with the same approach as on bug 1816059.

Status: UNCONFIRMED → NEW
status-firefox111: --- → affected
status-firefox112: --- → affected
status-firefox113: --- → affected
Depends on: CVE-2023-29534
Ever confirmed: true

@Hafiizh Can you confirm that the current Nightly avoids this issue?

Flags: needinfo?(sas.kunz)

Petru its fixed

Flags: needinfo?(sas.kunz)

Thank you for the confirmation!

Assignee: nobody → petru.lingurar
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox112: affectedfixed
status-firefox113: affectedfixed
Resolution: --- → FIXED
status-firefox111: affectedwontfix
Target Milestone: --- → 113 Branch
Group: mobile-core-security → core-security-release

As we expected, this did turn out to be fixed by the redesigned mechanism in bug 1816059 making this essentially a dupe for purposes of the bug bounty.

Flags: sec-bounty? → sec-bounty-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: