1835469 - Android Firefox Fullscreen Toast Message Hide Using Keyboard inside SplitScreen Mode

Status: VERIFIED FIXED

(Firefox for Android :: General, defect, P3)

Description

[Mohit]

Attachment: split-spoof.html

Whenever browser enters inside Fullscreen Mode, it shows a Toast which let users know that they are going inside Fullscreen of the browser but when Firefox is opened inside split screen mode on Android, it fails to show the FullScreen mode toast message because the Keyboard hides it from the screen.

This issue is more likely to be exploited via Custom Tab Feature of browser, which means users will normally use Split Screen mode for multi-tasking on Android and they may use any Apps which opens the link in Custom Tab like Telegram. Suppose Telegram and YouTube were opened in Split Screen mode and user receives the attacker link on Telegram, after he clicks the link it will be opened inside the Custom Tab of Firefox and from there the phishing attack can be done.

##Steps To Reproduce:

1. Open Firefox and any different application inside Split Screen Mode.
2. Next, in Firefox open attached file split-spoof.html
3. Click on the button available on the page.
4. Notice that the browser steps inside the Fullscreen Mode and shows a Phishing page of facebook.
5. Also notice that the FullScreen Toast message is not visible because of the Keyboard.

##Browser Tested on:
org.mozilla.firefox (Android Firefox)
Version: 113.2.0

##Note:
Chromium browsers are also vulnerable with this issue and I have filed the report to them via bugs.chromium.org

Comment 1

[Mohit]

Attachment: Record_2023-05-27-12-21-23_576x1280.mp4

Comment 2

[Chris Peterson [:cpeterson]]

Attachment: Non-split-screen_screenshot.png

Thanks for this bug report and the test case.

:skhan can reproduce the bug in Firefox 115 on her Google Pixel 6 running Android 13, but I can't reproduce in Firefox 113 on my Samsung Galaxy A51 running Android 13 or my Moto G5 running Android 8.1. I see the "Entering full screen mode" toast pop up and then the keyboard opens behind the toast.

When in non-split-screen mode, the "Enter full screen mode" toast is displayed in front of the keyboard's space bar. See the attached screenshot.

Comment 3

[Chris Peterson [:cpeterson]]

Makoto, this bug's test case opens the keyboard in front of our "Entering full screen mode" toast message. The user doesn't know they are in full screen mode so the page can then spoof the Firefox UI and steal passwords for other sites.

Can we control the toast message's Z order so that it remains in front of the keyboard?

Or can we position the toast message at the top of the screen instead of the bottom? Then the keyboard wouldn't cover it. Plus I think the user would be more likely to see a toast message at the top of the screen.

Also, the toast message is only shown for 2 seconds, which seems very short. A longer time would be easier for users to notice (if the keyboard wasn't hiding the toast). Sarah says we can set the toast time to either 2 or 3.5 seconds.

Comment 4

[Daniel Veditz [:dveditz]]

##Note:
Chromium browsers are also vulnerable with this issue and I have filed the report to them via bugs.chromium.org

Could you paste the link to the chromium bug here, please? We won't be able to see the content but it helps coordinate when we can send them the reference to what we're talking about.

Chris:
Is it really "full-screen" when it's only part of the screen? Maybe Fenix should just ignore requestFullscreen when we already don't have the full screen?

I'm assuming a malicious page could guess they were in splitscreen based on window dimensions, but this seems like a pretty small victim pool to target for a phishing-type scam.

Comment 5

[Mohit]

Here's the chromium report of this issue - https://bugs.chromium.org/p/chromium/issues/detail?id=1449313

Comment 6

[Chris Peterson [:cpeterson]]

(In reply to Daniel Veditz [:dveditz] from comment #4)

Is it really "full-screen" when it's only part of the screen? Maybe Fenix should just ignore requestFullscreen when we already don't have the full screen?

The page is "full split screen" on Firefox's half of the screen.

I'm assuming a malicious page could guess they were in splitscreen based on window dimensions, but this seems like a pretty small victim pool to target for a phishing-type scam.

IIUC, I don't think the phishing potential of "full split screen" mode is any less than "full screen" mode: the Firefox address bar still disappears. Devices have different screen sizes, so I think a page that wanted to spoof Firefox's address bar (at the bottom of the screen) would always need to check the viewport dimensions. So it would automatically handle address bar spoofing in "full split screen" mode.

Comment 7

[Makoto Kato [:m_kato]]

Although I don't know how to show toast in Fenix/AC, toast position can be set above keyboard.

• https://stackoverflow.com/questions/13988596/show-toast-above-keyboard

Comment 8

[[:skhan]]

This was resolved by the fix made to this https://bugzilla.mozilla.org/show_bug.cgi?id=1823316 . Please can you retest and let us know?

Comment 9

[Mohit]

Hi team,
I did the re-test on the latest release of Firefox for Android version 119.1.1 and noticed that the FullScreen Notification toast gets visible now because the keyboard gets dropped down as soon as the browser triggers FullScreen. Fix works!

Comment 10

[Daniel Veditz [:dveditz]]

We have decided not to award a bounty for this bug. As noted in our policy we are interested in encouraging research into more severe vulnerabilities and award bounties to sec-low bugs only when they are interesting and novel.

Comment 11

[Daniel Veditz [:dveditz]]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Comment 12

[Delia Pop (Android QA)]

Confirming this issue is no longer reproducible on the latest Firefox for Android versions of Nightly 127.0a1 from 04/29, Beta 126.0b6 and Dot Release 125.3.0. Tested with Google Pixel 8 Pro (Android 14).