Closed Bug 1842587 Opened 2 years ago Closed 1 year ago

tapjacking to allow permission

Categories

(Firefox for Android :: General, defect, P3)

Product:
Firefox for Android
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox129 --- fixed
firefox130 --- fixed

People

(Reporter: sas.kunz, Assigned: amejia)

References

Details

(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

firefox_tapjacking.mp4
873.55 KB, video/mp4
Details
firefox_tapjacking.html
4.86 KB, text/html
Details
2024_06_27_03_56_11.mp4
5.91 MB, video/mp4
Details
2024_07_03_16_05_50.mp4
6.52 MB, video/mp4
Details
Attached video firefox_tapjacking.mp4

i found tapjacking vulnerability on firefox to allow permission

steps to produce:

  1. Open https://pipabajabakrie.com/upload/firefox.html or firefox_tapjacking.html
    (if you cannot access https://pipabajabakrie.com/upload/firefox.html you can run your own webserver(it must using domain name) (copy
    filefox_tapjacking.html)
  2. tap on "click here button"
  3. double tap on "Ok" button
Flags: sec-bounty?

its affected on firefox android version 115.0.1

Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix

The severity field is not set for this bug.
:jonalmeida, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jonalmeida942)
Severity: -- → S3
Priority: -- → P3
Flags: needinfo?(jonalmeida942)
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2024-6605
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Attached video 2024_06_27_03_56_11.mp4

after fixing at 1836786 I can still reproduce this bug and it seems the fix is ​​indeed different from 1836786

Flags: needinfo?(dveditz)
Status: RESOLVED → REOPENED
No longer duplicate of bug: CVE-2024-6605
Resolution: DUPLICATE → ---

On 1836786 it was fixed with a delay in the permission dialog whereas in this bug there was no delay because it was probably blocked by the window prompt

I can't reproduce anything like either of your two movies (before and after the fix in bug 1836786) -- for me the permission prompt is shown before and on top of the prompt. In the code it looks like the timeouts are about 100ms, and that's way shorter than the time it takes for me to get my fingers from the button at the top of the screen to the buttons at the bottom.

Flags: needinfo?(dveditz)

Hi Daniel I can still reproduce it in the latest version of Nightly. If the permission prompt is above the window prompt you can refresh the page and start again

Flags: needinfo?(dveditz)
Attached video 2024_07_03_16_05_50.mp4

It mostly didn't work for me because the permission prompt shows up on top, but I did eventually reproduce it twice out of 15-20 attempts.

"double-click on the OK button" is a weird thing to ask people to do so I'm dubious this is an effective spoof, but clearly our delay doesn't take into account the fact that the prompt doesn't have focus and is obscured by another prompt.

Flags: needinfo?(dveditz)
Keywords: csectype-clickjacking, sec-moderate

In the current Nightly 130.0a1 this is not spoofing anymore because the prompt is not shown.

fixed, possibly by bug 1908344

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Flags: sec-bounty- → sec-bounty+
Resolution: --- → FIXED

Arturo, could you confirm?

Flags: needinfo?(amejiamarmol)

Confirmed, it's the same issue we addressed on bug 1908344

Flags: needinfo?(amejiamarmol)
Assignee: nobody → amejiamarmol
Group: mobile-core-security → core-security-release
status-firefox129: --- → fixed
status-firefox130: --- → fixed
Depends on: CVE-2024-7523
Target Milestone: --- → 130 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: