Bypass site permission clickjacking protections on Desktop by opening a new tab with window.open() and closing it after the permission timeout has expired
Categories
(Toolkit :: PopupNotifications and Notification Bars, defect, P1)
Tracking
()
People
(Reporter: haxatron1, Assigned: emz)
References
(Regression, )
Details
(5 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main116+] [adv-ESR115.1+] [adv-ESR102.14+])
Attachments
(5 files, 3 obsolete files)
|
469 bytes,
text/html
|
Details | |
|
289.10 KB,
video/webm
|
Details | |
|
529 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
|
214 bytes,
text/plain
|
Details |
By opening a new window maintaining it for 500ms and closing it, it bypasses clickjacking protections.
- Go to https://haxatron1-bugs.glitch.me/clickjack.html and spam click on button
I have a made a site for you to test the control setup so you can see the difference with opening a new window and without open a new window (bypass)
This URL is the site without opening a new window https://haxatron1-bugs.glitch.me/clickjack2.html.
For an even easier reproduction, go to about:config and set the activation delay parameter to 5000 =>
security.notification_enable_delay
Then reproduce the same on https://haxatron1-bugs.glitch.me/clickjack3.html, in this test case it is really obvious that the clickjacking protections are bypassed.
(In reply to haxatron1 from comment #5)
For an even easier reproduction, go to about:config and set the activation delay parameter to 5000 =>
security.notification_enable_delay
Then reproduce the same on https://haxatron1-bugs.glitch.me/clickjack3.html, in this test case it is really obvious that the clickjacking protections are bypassed.
browser has to be restarted first before the configuration can be applied.
|
||
Comment 7•2 years ago
|
||
Paul, can you take a look? I feel like bug 1826116 should have fixed this.
|
Assignee | |
Comment 8•2 years ago
|
||
(In reply to :Gijs (he/him) from comment #7)
Paul, can you take a look? I feel like bug 1826116 should have fixed this.
You might be right. I can't reproduce this on Firefox release or Nightly. I've set my security delay to 5000 and tested with the page linked in comment 0.
Reporter, which version of Firefox did you use to test this? Could you confirm that it still works on 114.0.1 or higher?
Reproduced on Windows FF 114.0.1 (64-bit)
Please use https://haxatron1-bugs.glitch.me/clickjack3.html for the 5000 ms delay, comment 0 is configured for the 500 ms delay
|
Reporter | |
Comment 10•2 years ago
|
||
let me know if you are still not able to reproduce
|
|
Reporter | |
Comment 11•2 years ago
|
||
If still not able to reproduce can also try, https://haxatron1-bugs.glitch.me/clickjack4.html which increases from 10ms to 50ms delay for the window.open() opens the new page. The important thing is that the geolocation pemission prompt must be registered first before the call to window.open()
|
|
Reporter | |
Comment 12•2 years ago
|
||
The POC positioning also might be a bit off with the bookmarks bar. On my Firefox (both nightly and 114 build), I changed bookmarks bar to show only on new tab.
|
|
||
Comment 13•2 years ago
|
||
(In reply to Paul Zühlcke [:pbz] from comment #8)
(In reply to :Gijs (he/him) from comment #7)
Paul, can you take a look? I feel like bug 1826116 should have fixed this.
For the avoidance of doubt, I can repro on 116. I just don't understand why/how, as I thought the other bug was supposed to have fixed this.
Is it possible that we either don't cancel the timeout when the popup is hidden, or don't restart the timer when the popup is reshown, or something?
|
|
Reporter | |
Comment 14•2 years ago
|
||
|
|
Reporter | |
Comment 15•2 years ago
|
||
To prevent me from accidentally modifying my own PoC, I have deleted the test cases from my my hosted website and uploaded the 5000ms delay test case onto bugzilla so that you can test on bugzilla as well. I have also moved all test cases under https://haxatron1-bugs.glitch.me/b1839073/
|
|
Assignee | |
Comment 16•2 years ago
|
||
Sorry, I had misunderstood the PoC, I can reproduce now. This is a regression of Bug 1826116 where we changed when timeShown is set. I verified this by testing with that patch reverted.
I still need to look into it more but I suspect it's because we set timeShown before the hidePanel promise resolves.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 18•2 years ago
|
||
I think the problem is that we don't override timeShown when we call _showPanel for when we re-show it after a tab switch. See https://searchfox.org/mozilla-central/rev/3424c000a7ff304b2d1efb8561a924232f7f12fc/toolkit/modules/PopupNotifications.sys.mjs#1262
I'll submit a patch.
|
|
Assignee | |
Comment 19•2 years ago
|
||
|
|
Assignee | |
Comment 20•2 years ago
|
||
Depends on D181779
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 21•2 years ago
|
||
We have a fix, but I'm holding off from landing since this is still pending a sec rating.
|
|
Reporter | |
Comment 22•2 years ago
|
||
(In reply to Paul Zühlcke [:pbz] from comment #21)
We have a fix, but I'm holding off from landing since this is still pending a sec rating.
I think it should be the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1826116?
|
|
Assignee | |
Comment 23•2 years ago
|
||
Comment on attachment 9340510 [details]
Bug 1839073, r=Gijs!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The patch makes it obvious that there is a bug with our security delay in PopupNotifications. It does however not show the exact conditions that are needed in order for this to be exploited.
Similar to Bug 1826116. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: I don't expect any merge conflicts since for Bug 1826116 we already backported. This patch is a one-line change on top of that.
- How likely is this patch to cause regressions; how much testing does it need?: It's a very small change and has been verified locally.
However updating the security delay comes with the risk of breaking PopupNotification buttons. There is also the risk that we further regress and break the security delay more.
The test for Bug 1826116 and the one included in the other patch for this bug increase our test coverage of the security delay mechanism. - Is Android affected?: No
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 25•2 years ago
|
||
Comment on attachment 9340511 [details]
Bug 1839073 - Test. r=Gijs!
Clearing flag for test
|
|
||
Comment 26•2 years ago
|
||
Comment on attachment 9340510 [details]
Bug 1839073, r=Gijs!
Approved to uplift and land
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 27•2 years ago
|
||
(In reply to haxatron1 from comment #22)
(In reply to Paul Zühlcke [:pbz] from comment #21)
We have a fix, but I'm holding off from landing since this is still pending a sec rating.
I think it should be the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1826116?
For sec-severity, a attack scenario would be asking the user to open the new about:blank window to start a game, and when enough clicks occur in the game, the window closes and the victim accidentally clicks on the accept button of the prompt.
|
|
Assignee | |
Comment 28•2 years ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D181779
|
||
Comment 29•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 30•2 years ago
|
||
Comment on attachment 9340510 [details]
Bug 1839073, r=Gijs!
Beta/Release Uplift Approval Request
- User impact if declined: Clickjacking sec-bug. Users may be tricked into accepting permission prompts, e.g. geolocation, camera, microphone, ...
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: See comment 0
It should not be possible to interact with the prompt directly after it becomes visible. Users should only be able to interact with the Block/Allow buttons after the security delay (500 ms).
To better test this you can also increase the security delay via pref, see https://bugzilla.mozilla.org/show_bug.cgi?id=1839073#c5 - List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): It's a very small change and has been verified locally and has test coverage (test landing separately).
However updating the security delay comes with the risk of breaking PopupNotification buttons. There is also the risk that we further regress and break the security delay more. - String changes made/needed:
- Is Android affected?: No
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: See beta uplift request
- Fix Landed on Version:
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): See beta uplift request
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 31•2 years ago
|
||
It would be nice to get QA verification prior to the uplifts. I'm mentioning this because in the past we had uplifts done before the verification.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 32•2 years ago
|
||
I tried to reproduce using 116.0b3 and 114.0.1 on Windows 10 and Windows 11 but I only managed to reproduce twice from I don't know how many tries I had so I don't think I can reliably verify this as being fixed.
These are the steps I used:
- Changed the
security.notification_enable_delay prefto5000 - Loaded https://haxatron1-bugs.glitch.me/clickjack3.html or the
clickjack-long-delay.htmlfile attached in the bug - Clicked the button (and kept clicking in the same spot where the Allow button from the notification is)
- Closed the new blank opened window (using keyboard shortcut)
Result: Clicking on the Allow did nothing for a few seconds (the delay) only after the delay was over the click was registered on Allow and the coordinates were displayed.
I don't know if I missed something but if not, could you please verify that this is fixed for you using the latest Nightly 117.0a1 build? https://archive.mozilla.org/pub/firefox/nightly/2023/07/2023-07-10-09-40-14-mozilla-central/firefox-117.0a1.en-US.win64.zip
|
|
Reporter | |
Comment 33•2 years ago
|
||
For Step 4, you have to wait the full 5000ms (when using the security pref) instead of closing the keyboard shortcut.
I can verify this as fixed on Build 17.0a1 (2023-07-10) (64-bit
|
|
||
Comment 35•2 years ago
|
||
(In reply to haxatron1 from comment #33)
For Step 4, you have to wait the full 5000ms (when using the security pref) instead of closing the keyboard shortcut.
I can verify this as fixed on Build 17.0a1 (2023-07-10) (64-bit
I get it now, I was able to reproduce it myself on the old build! \o/
Thanks for verifying on above build, I was also able to verify that this is fixed using the latest Nightly from today 2023-07-11) on both Windows 10 64bit and Windows 11.
|
||
Comment 36•2 years ago
|
||
Comment on attachment 9340510 [details]
Bug 1839073, r=Gijs!
Approved for 116.0b4
|
|
||
Comment 37•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 39•2 years ago
|
||
The test examples use the less scary geolocation prompt, but this applies to all similar prompts and the sec-high is given assuming scarier permissions like camera/mic ones.
|
|
||
Comment 40•2 years ago
|
||
Also verified as fixed using latest Beta build 116.0b4 across platforms (Windows 10, macOS 13.2 and Ubuntu 22.04).
|
|
||
Comment 41•2 years ago
|
||
Comment on attachment 9340510 [details]
Bug 1839073, r=Gijs!
Approved for 115.1esr.
|
|
||
Comment 42•2 years ago
|
||
| uplift | ||
|
|
||
Comment 43•2 years ago
|
||
Comment on attachment 9340510 [details]
Bug 1839073, r=Gijs!
And 102.14esr.
|
|
||
Comment 44•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Comment 45•2 years ago
|
||
Verified on both esr102 and esr115 builds across platforms (Windows 10, macOS 13.2 and Ubuntu 22.04) from treeherder that contain the fix.
|
|
||
Comment 46•2 years ago
|
||
Comment on attachment 9340511 [details]
Bug 1839073 - Test. r=Gijs!
Revision D181780 was moved to bug 1844776. Setting attachment 9340511 [details] to obsolete.
|
||
Updated•2 years ago
|
|
|
||
Comment 47•2 years ago
|
||
|
|
||
Comment 48•1 years ago
|
||
2 months ago, tjr placed a reminder on the bug using the whiteboard tag [reminder-test 2023-09-12] .
pbz, please refer to the original comment to better understand the reason for the reminder.
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
Description
•