Closed Bug 1839074 Opened 2 years ago Closed 1 year ago

Firefox Android Fullscreen Notification Can Be Obscured Using Print Function

Categories

(Firefox for Android :: General, defect, P2)

Product:
Firefox for Android
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: fazim.pentester, Assigned: polly)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][fxdroid][adv-main130-])

Attachments

(4 files, 1 obsolete file)

poc.html
31.46 KB, text/html
Details
Variant PoC from bug 1867485
33.44 KB, text/html
Details
demo.mp4
2.05 MB, video/mp4
Details
chrome.mp4
1.62 MB, video/mp4
Details
Attached file poc.zip (obsolete) —

Fenix for Android is vulnerable to a Fullscreen spoofing attack, where an attacker could launch the print() function in Fullscreen. Despite the victim seeing the Fullscreen toast notification, attempting to exit by using the back button or gestures only exits the print() screen and not Fullscreen, leaving the victim trapped in Fullscreen mode. This misleading exit from Fullscreen can be exploited by the attacker to display a spoofed page.

Steps to Reproduce:

  1. Download and extract the file poc.zip to a folder
  2. Start a Python server on the same folder by running the command python -m http.server 8080.
  3. Open the Android Firefox browser and navigate to the server at http://{YOUR-SERVER-IP}:8080/poc.html to Begin testing.

Video Demonstration: https://youtu.be/3uoQFUjJzRo (YouTube Unlisted)

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix

The severity field is not set for this bug.
:jonalmeida, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jonalmeida942)
Severity: -- → S3
Flags: needinfo?(jonalmeida942)
Priority: -- → P2
See Also: → 1866633
See Also: → 1867485

Hello, can this be retested in the latest nightly? We recently did some fixes to fullscreen issues and it might have fixed this one too.

Yes, I have noticed changes, but when tested on the latest nightly build 122.0a1, the notification style has changed. However, the issue is still present, and new changes have made this bug more powerful. The new UI can now be fully overlapped with print(). I have reported this bug here: Bug 1867485.

[:skhan] Similar to Google Chrome (Mobile/Desktop) and Desktop Firefox, I think we should exit fullscreen when the print function is activated to solve both this bugs.

We were able to reproduce this issue on the latest versions of the application. Tested with Samsung Galaxy A53 5G (Android 13) on:

  • Nightly 122.0a1 from 12/08
  • Beta 121.0b8
  • RC 120.1.0
Attached file poc.html

I edited the poc from the zip to include the images inline so we could load it from bugzilla for convenience

Reprising what I said in bug 1850790 comment 5:

  1. If I immediately back out of the print dialog then I will see the fullscreen toast on the spoof page; it looks fixed (but isn't: read on)
  2. If instead I stare at the screen a bit wondering "what the heck happened?" before I cancel the print dialog--maybe a few seconds--then when I exit I go back to the fullscreen spoof page WITHOUT seeing any fullscreen toast/warning
  3. In any case, when you exit the print screen dialog Firefox should NOT be in fullscreen mode. You should be in normal mode, as you are in Firefox on Desktop or Chrome on Android. Depending on the order, opening the print screen should either prevent fullscreen or kick you out of fullscreen

In addition, this testcase points out limitations to the new fullscreen toast design: Although the new color is an eye-catching improvement on most "normal" pages, if an attacker creates a page of the same color it blends in and is nearly invisible. Since this bug predates the color change I'm sure that effect is unintentional here (the toast and the spoof Mozilla VPN page both use one of our brand colors), but you can count on real attacks doing this on purpose. This is why our desktop toast has a contrasting border and some shadow, plus movement.

The toast warning seems to be even closer to the edge than it was before. I already worried it wouldn't be seen on tall screens and should be closer to the middle of the screen (say 1/3?), and now it will be that much easier to distract people away from it with flashy stuff on the other end. It's also always at the bottom, even if the URL bar is at the top. Shouldn't we put the toast on the end where the user normally looks?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-spoof, sec-moderate
Duplicate of this bug: 1850790
Duplicate of this bug: 1866633
Duplicate of this bug: 1867485

Attaching the PoC from bug 1867485 for convenience. It's functionally the same as the original PoC but as a spoof it looks a bit better with the new toast style.

Attached video demo.mp4

Hi, thank you for reviewing this issue. I wasn't able to comment yesterday due to exams. Initially, two reports were necessary because the first one affected the stable build, and later both the beta and nightly builds. Now that the new notification has landed on stable, I agree that only one report is required.

I have attached the demo, which now works with the stable build as well. This is in reference to Bug 1867485 (which worked well with poc.zip at that time). Additionally, I have included a Chrome test where fullscreen on opening print exists (possible solution).

Attached video chrome.mp4
Attachment #9339749 - Attachment is obsolete: true

(In reply to Daniel Veditz [:dveditz] from comment #6)

Daniel, I believe this vulnerability is undervalued. It is very similar to Bug 1790815 and requires less user interaction in comparison. I have taken the time to test both bugs. While it's fair to rate the security as medium or low for the original report, I believe the new changes make it arguably a high-security bug. I am highlighting a very similar bug, Bug 1790815, that involves the print function to obscure the full-screen notification. In comparison, the current one requires less user involvement with just a single click to spoof the browser.

Please reevaluate the security rating of this issue. Thank you.

Flags: needinfo?(dveditz)
Summary: Fullscreen spoofing in Fenix by misleading exit using print() function → Firefox Android Fullscreen Notification Can Be Obscured Using Print Function

For the first point that users can immediately back out of the print dialog to see the fullscreen notification, I can counter-argue that no one as a reflex to exit the print view that immidiatly, everyone will be curious about what the screen doing. Based on my spoof, perhaps the victim may actually read ToC and exit the print window to get that FREE VPN.

The severity field for this bug is set to S3. However, the following bug duplicate has higher severity:

:jonalmeida, could you consider increasing the severity of this bug to S2?

For more information, please visit BugBot documentation.

Flags: needinfo?(jonalmeida942)
Flags: needinfo?(jonalmeida942)
Duplicate of this bug: 1841662
See Also: → 1872476
Duplicate of this bug: 1872476
See Also: 1872476
Blocks: 1874914
No longer blocks: 1874914
Depends on: 1874914
Blocks: 1874914
No longer depends on: 1874914
See Also: → https://mozilla-hub.atlassian.net/browse/FXDROID-1312
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [fxdroid]
Duplicate of this bug: 1874914
Duplicate of this bug: 1883139

Hi, it's been a long time. Can we update on this issue?

Friendly ping.

Hi Fazim,

(In reply to Umar Farooq [:Puf] from comment #22)

Hi Fazim,

Hello friend.

This issue is still hanging here, without a fix. A similar issue Bug 1871214 (which required a double tap), was reported only five months ago and has already been fixed and released. Why is this issue still not fixed? Kindly address it.

Hi Boek, could you please assign someone to this bug? This bug is more severe than the one mentioned above. Fullscreen spoofing is done with just a tap, and we could use a similar fix as the one above, which is to block such interactions when fullscreen is activated.

Flags: needinfo?(jboek)

Team, kindly reply to any of my messages.

Hi Shaheen, we do our best to fix all the bugs in Firefox. Unfortunately, there is only so much bandwidth we have. This bug has been triaged, and it is in our queue. Thank you for your patience.

If you have a question about the bounty for this bug, feel free to email security@mozilla.org

Flags: needinfo?(jboek)
Flags: needinfo?(dveditz)

(In reply to https://bugzilla.mozilla.org/show_bug.cgi?id=1865413#c15)

I have tested this issue on the latest nightly version. It seems this issue is also being fixed. Can you check? It shows the notification and no longer hides it.

Flags: needinfo?(polly)
Depends on: CVE-2024-8388
Flags: needinfo?(polly)

yes - thanks for retesting, Shaheen!
I agree, looks like this is no longer an issue as the full screen notification now appears above the print dialog.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Assignee: nobody → polly
Group: mobile-core-security → core-security-release
status-firefox128: --- → wontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
Target Milestone: --- → 130 Branch
Flags: sec-bounty? → sec-bounty+

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] [fxdroid] → [client-bounty-form][fxdroid][adv-main130-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: