Closed Bug 1836921 (CVE-2024-11700) Opened 2 years ago Closed 1 year ago

Tapjacking Android dialog to launch intents

Categories

(Firefox for Android :: Browser Engine, defect, P2)

Product:
Firefox for Android
Component:
Browser Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox132 --- wontfix
firefox133 + fixed
firefox134 + fixed

People

(Reporter: fazim.pentester, Assigned: amejia)

References

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid][reminder-test 2025-01-21][adv-main133+] [qa-triaged])

Attachments

(8 files, 6 obsolete files)

tapjack-screenrecord.mp4
1.54 MB, video/mp4
Details
poc.html
1.37 KB, text/html
Details
demo.mp4
839.25 KB, video/mp4
Details
Bug 1836921 - Improve dialogs
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1836921 - Improve dialogs tests
48 bytes, text/x-phabricator-request
Details | Review
Bug 1836921 - Improve dialogs
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
advisory.txt
315 bytes, text/plain
Details
RedBox1.mp4
1.14 MB, video/mp4
Details
Attached file poc.html (obsolete) โ€”

Android applications with unpatched vulnerabilities can be launched from a browser using Intents. Firefox confirms with users whether they want to launch an external application before proceeding, providing protection against these vulnerabilities.

In this proof of concept, I will demonstrate a method where an attacker could lure the victim into unknowingly allow an intent through Tapjacking, using an engaging game.

Steps to Reproduce:
1 . Download the file poc.html to a folder
2. Start a Python server on the same folder by running the command python -m http.server 8080.
3. Open the Android Firefox browser and navigate to the server at http://{YOUR-SERVER-IP}:8080/poc.html to Begin testing.

Flags: sec-bounty?

Video Demonstration: https://youtu.be/EEgzG7ZqcYY (YouTube Unlisted)

Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix
See Also: → CVE-2024-6605
Depends on: CVE-2024-6605
Summary: Tapjacking Android Permission Dialogue to Launch Intents → Tapjacking Android Dialog to Launch Intents

Shaheen, thanks for the POC. I'll make sure this bug gets triaged.

Severity: -- → S2
Component: General → Browser Engine
Priority: -- → P2
Status: UNCONFIRMED → NEW
Ever confirmed: true
No longer depends on: CVE-2024-6605
Severity: S2 → S3
Priority: P2 → P3

Friendly ping.

Assigning this bug to Android squad 2.

Priority: P3 → P2
See Also: → https://mozilla-hub.atlassian.net/browse/FXDROID-2265
Summary: Tapjacking Android Dialog to Launch Intents → Tapjacking Android dialog to launch intents
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [group2]
Assignee: nobody → gmalekpour
Status: NEW → ASSIGNED
Attached video tapjack-screenrecord.mp4 โ€”

I'm having a tough time reproducing this on Android. I see the counter (x6, x5, ...) on the browser but nothing happens when I click on the red box on my Pixel.

Attached file test.html (obsolete) โ€”

My original PoC was outdated (I believe the intent I provided no longer works), but I have just attached a new PoC. Please try with this one test.html.

Attached file poc.html โ€”
Attachment #9337626 - Attachment is obsolete: true
Attachment #9411831 - Attachment is obsolete: true
Attached video demo.mp4 โ€”

Hi Gela, I just updated the PoC ( poc.html ). Can you test this again and see if it is working? Thank you.

Flags: needinfo?(gmalekpour)
Attachment #9411843 - Attachment description: WIP: Bug 1836921 - Delay launching intent to avoid tapjacking → WIP: Bug 1836921 - Delay launching intent
Attachment #9411843 - Attachment description: WIP: Bug 1836921 - Delay launching intent → WIP: Bug 1836921 - Delay launching intent to avoid tapjacking
Attachment #9411843 - Attachment is obsolete: true
Attached file Bug 1836921 - Delay tap enablement (obsolete) โ€”
Blocks: CVE-2025-1940
See Also: → CVE-2025-1940
Flags: needinfo?(gmalekpour)
Attachment #9413371 - Attachment description: WIP: Bug 1836921 - Delay tap enablement → Bug 1836921 - Delay tap enablement
Attached file Bug 1836921 - Delay launching intents (obsolete) โ€”
Attached file Bug 1836921 - Delay launching intents (obsolete) โ€”
Attachment #9413901 - Attachment is obsolete: true
Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group2] → [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid]

Hi, can we get an update on this issue? Thanks.

Hi Gela, could you update on the issue? Thank you.

Flags: needinfo?(gmalekpour)

Hello, apologies for the delay. I put up a patch for this a while back but there were some feedbacks on it and other high priority items came up but I am picking this back up today. I will post an update here once I make progress.

Flags: needinfo?(gmalekpour)
Attachment #9413904 - Attachment is obsolete: true
Attachment #9413371 - Attachment is obsolete: true

Depends on D226961

Assignee: gmalekpour → amejiamarmol

Comment on attachment 9433431 [details]
Bug 1836921 - Improve dialogs

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It's not that easy.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, and release
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Not likely, we are reassuring a already existing security component for prompts
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9433431 - Flags: sec-approval?

Comment on attachment 9433431 [details]
Bug 1836921 - Improve dialogs

Approved to land and uplift

Attachment #9433431 - Flags: sec-approval? → sec-approval+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid] → [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid][reminder-test 2025-01-21]
Pushed by amejiamarmol@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/37cac02470a4 Improve dialogs r=android-reviewers,Roger
Pushed by amejiamarmol@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5f943d5e0ab7 Improve dialogs r=android-reviewers,Roger

https://hg.mozilla.org/mozilla-central/rev/5f943d5e0ab7

Group: mobile-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox134: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Arturo, please add a beta uplift request on this when you have a moment.
I need to uplift it by eod tomorrow to include it in the final Fx133 beta build.

status-firefox132: --- → wontfix
status-firefox133: --- → affected
tracking-firefox133: --- → +
tracking-firefox134: --- → +

So far we only have done devs verification, should we need to wait until QA can validate in nightly before uplifting?

Flags: needinfo?(amejiamarmol)
Flags: qe-verify+

(In reply to Arturo Mejia [:amejia] from comment #28)

So far we only have done devs verification, should we need to wait until QA can validate in nightly before uplifting?

It can still get an uplift request with a risk assessment

Sure!
I'll proceed with the uplift!

Attachment #9437163 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: User will still experiment the exploit
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See comment https://bugzilla.mozilla.org/show_bug.cgi?id=1836921#c0
  • Risk associated with taking this patch: The risk is low
  • Explanation of risk level: We are just preventing the allow button to be clicked to fast
  • String changes made/needed: n/a
  • Is Android affected?: yes
Attachment #9437163 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Regressions: 1931360
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid][reminder-test 2025-01-21] → [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid][reminder-test 2025-01-21][adv-main133+]
Attached file advisory.txt โ€”
Alias: CVE-2024-11700
Regressions: 1937373
No longer regressions: 1937373
Regressions: 1937373

Tom, Daniel - based on Arturo's (now left the org) comment:

Waiting until it's safe to disclose https://bugzilla.mozilla.org/show_bug.cgi?id=1836921

do you have any guidance on whether it safe to land https://phabricator.services.mozilla.com/D227275 now?

Flags: needinfo?(tom)
Flags: needinfo?(dveditz)

Yes, that's fine. I'll inquire as to why bugbot didn't run for the reminder.

Flags: needinfo?(tom)
Flags: needinfo?(dveditz)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid][reminder-test 2025-01-21][adv-main133+] → [reporter-external] [client-bounty-form] [verif?] [group2] [fxdroid][reminder-test 2025-01-21][adv-main133+] [qa-triaged]
Pushed by icedicedcoffee@proton.me: https://hg.mozilla.org/integration/autoland/rev/0d4139ade0d6 Improve dialogs tests r=android-reviewers,Roger
Group: core-security-release
Flags: qe-verify+
Attached video RedBox1.mp4 โ€”

This issue was verified on Firefox for Android Nightly 139 (2025-04-23) and RC 139 using a Samsung S24 Ultra (Android 14). The page turns into about:blank after tapping once on the red box and canceling the "Open in Phone" pop-up.

Shaheen Fazim could you please confirm that this is the expected behaviour?

Flags: needinfo?(fazim.pentester)

Expected behaviour is to protect intent prompt from multiple taps. For example, if a user quickly taps multiple times, it should not allow prompt inbetween to be approved.

It seems like in this case, we're not opening the app using tel:. I'm not sure what's causing the later behaviorโ€”like the intent prompt closing and an about:blank page opening. That part shouldn't happen, and Iโ€™m not sure if it's intentional. Could you check with the appropriate developer to see if that behavior is expected?

Flags: needinfo?(fazim.pentester)

about:blank is shown when window.open is used. Switching line 41 code from window.open('tel:1337'); to location.href = 'tel:1337'; fixes it, and I see tapjacking protection active aswell.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: