Closed Bug 1840785 Opened 2 years ago Closed 2 years ago

Firefox Browser Desktop Permission Prompt Tapjacking

Categories

(Firefox :: Site Permissions, defect)

Product:
Firefox
Component:
Site Permissions
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1839073

People

(Reporter: alisyarief.404, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

POC.mp4
547.32 KB, video/mp4
Details
firefoxwin.html
2.09 KB, text/html
Details
Update_POC.mp4
456.00 KB, video/mp4
Details
Attached video POC.mp4

VULNERABILITY DETAILS
The permission prompt UI Browser on Desktop is not protected against subsequent click.

If an attacker tricks the user into 2-4 clcik on specific point on the screen (for example in a cookie clicker game), opening a permission prompt dialog will cause the user to inadvertantly tap the Allow button.

VERSION

Firefox Version: 114.0.2 (64-bit)
Operating System: Windows 11

REPRODUCTION CASE

  1. Open poc.html
  2. 2-4 clik the cookie

Reproduce on Chromium or Chrome this not Effect.

MITITGATION

For smaller UI surfaces such as dialog boxes, a shorter delay like 500ms can

REFERENCE

https://bugs.chromium.org/p/chromium/issues/detail?id=1413586

Thanks

Flags: sec-bounty?
Attached file firefoxwin.html

sorry im Update script and new detail
navigator.mediaDevices.getUserMedia({ video: true }) cant access camera with clicjacking and popup window

Permission dialogs, such as the one for accessing the camera, are displayed by the browser to ensure user consent and protect user privacy. The user must manually interact with the dialog by clicking the "Allow" or "Deny" button.

It's possible to get the user to click the "Allow" button on the camera (or similar request dialogs) with the help of a popup window.

VERSION
Firefox Version: 114.0.2 (64-bit)
Operating System: Windows 11

REPRODUCTION CASE

  1. Open https://huntertoday18.000webhostapp.com/iframe-fire.html
  2. After the cookie image is clicked. First, it is suspended by using the setTimeout() function to call navigator.mediaDevices.getUserMedia
  3. User will be clicking in the popup window
  4. The popup windows closes making the user click the "Accept" button

The exact x/y coordinates of the "Allow" button may differ by a few px depending on the user's Chrome UI, but mostly they should be the same.

Attached video Update_POC.mp4

The original description sounds like bug 1826112 (fixed in Firefox 114), and the variant with the popup sounds like bug 1839073. Unless maybe there's something specifically broken about the getUserMedia() dialog compared to other permission dialogs. Can you take a look, Paul?

Component: Security → Site Permissions
Flags: needinfo?(pbz)
See Also: → CVE-2023-32207, CVE-2023-4047

Testing with both macOS and Windows 11 on Firefox 114.0.2 I can't reproduce the behavior shown with the given test site https://huntertoday18.000webhostapp.com/iframe-fire.html. The popup notification is visible and the 500ms delay is properly enforced. Setting security.notification_enable_delay to 5000 = 5 seconds makes this more obvious. The notification buttons do not work until the 5 second timer has completed.

getUserMedia uses PopupNotifications.sys.mjs too so I don't think there should be difference when it comes to clickjacking.

Dan, can you reproduce?

Flags: needinfo?(pbz) → needinfo?(dveditz)

(In reply to Paul Zühlcke [:pbz] from comment #5)

Testing with both macOS and Windows 11 on Firefox 114.0.2 I can't reproduce the behavior shown with the given test site https://huntertoday18.000webhostapp.com/iframe-fire.html. The popup notification is visible and the 500ms delay is properly enforced. Setting security.notification_enable_delay to 5000 = 5 seconds makes this more obvious. The notification buttons do not work until the 5 second timer has completed.

getUserMedia uses PopupNotifications.sys.mjs too so I don't think there should be difference when it comes to clickjacking.

Dan, can you reproduce?

im reproduce in this video this script reproduce to testing

Reporter, could you please test again on the latest version of Nightly? We've recently landed a fix for a similar bug.

Flags: needinfo?(alisyarief.404)

yes, I've been testing on the latest Nightly
there's been a delay

so this not valid report ?

Flags: needinfo?(alisyarief.404)

Thanks for confirming! This means it's most likely a duplicate of Bug 1839073 which was filed before this bug and has a similar PoC.

Flags: needinfo?(dveditz)

Oke
Thanks for confirm

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-4047
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: