Closed Bug 1852819 Opened 2 years ago Closed 2 years ago

Spoofing "Site Info" panel (on own site)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
Firefox 117
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: stanlyoncm, Unassigned)

Details

(Keywords: csectype-spoof)

Attachments

(1 file)

files.zip
156.91 KB, application/x-zip-compressed
Details
Attached file files.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36

Steps to reproduce:

Title

Content Spoofing in Page Info Bubble.

Description

A vulnerability has been identified that allows an attacker to spoof the content of the Page Info Bubble on a specifically designed website. This vulnerability arises from the triggering of the blur event when clicking the Page Info Bubble button, enabling an attacker to control the context and execute malicious JavaScript code when the event is activated. This opens the door to a range of threats, including carrying out malicious actions on the victim, presenting false information such as fraudulent certificates or misleading security statements, and even inducing the victim to download malware or perform other harmful actions.

The vulnerability is exploited when the victim clicks the Page Info Bubble button, which triggers the blur event and thus allows the attacker to manipulate the context. An attacker can use JavaScript code to modify the content of the Page Info Bubble window and present false or misleading information to the victim.

Please observe the proof of concept (POC) video named poc.mp4. In this video, it demonstrates how a visitor to a website experiences the presentation of false information when clicking the Page Info Bubble button.

Steps to Reproduce

It is important to note that the following steps achieve the spoofing of the Page Info Bubble panel using CSS and JavaScript. However, it is essential to keep in mind that, as I am not an expert in CSS, the result may not be identical to that of the video due to variations in screen resolutions and other factors. Nevertheless, I consider achieving a completely accurate result is not essential for a simple proof of concept.

  1. Set up the Ruby interpreter on your system and install the Sinatra gem.
  2. Download the attached file named files.zip.
  3. Choose a directory on your system and proceed to unzip the contents of files.zip into it.
  4. In a terminal emulator, start the server and listen for connections by executing the following command: ruby server.rb localhost 80.
  5. Now, go to the address http://localhost/site in your web browser. Then, click the Page Info Bubble button and observe how the content spoofing takes place.

Impact

An attacker could manipulate the content of the Page Info Bubble on a specially designed website with the purpose of deceiving the victim, leading them to take unwanted actions such as downloading malware, disclosing confidential information, or executing malicious actions.

There's a number of difficulties in making this work. For one, you're not spoofing the lock icon, so if it's secure or not your in-content text will contradict the state of the icon the user just clicked on. Making the real site info panel go away requires a navigation, though reload ought to do it. YOu have to spoof the user's theme (but for stock themes you can detect light or dark so that's not too hard for most victims).

But how is this useful? No one cares if your own site is insecure or not, and if your site is insecure and you want to lie and say it's secure it's really your own site and users who take the hit. How would you use this to attack another site with valuable information or access?

Group: firefox-core-security
Component: Untriaged → Security
Flags: needinfo?(stanlyoncm)
Keywords: csectype-spoof
Summary: Content Spoofing in Page Info Bubble. → Spoofing "Site Info" panel (on own site)

Hi Daniel Veditz,

If the site is secure, clicking on the padlock will open the legitimate Firefox window displaying a button that says "Secure Connection." When the victim clicks on this button, another button labeled "More Information" will appear, which will open the "Page Information" window. However, through spoofing, clicking on the "Secure Connection" button gives the attacker complete control, allowing them to carry out various actions. If this spoofing is executed successfully, their main objective will be achieved, namely, the victim will be unable to verify the authenticity of the site.

Furthermore, any main action in the Firefox user interface, such as opening Pocket, will also trigger the "blur" event and, therefore, allow the spoofing to take place. In a phishing attack, an attacker seeks to deceive the victim into revealing confidential information.

Best regards.
Stan.

Flags: needinfo?(stanlyoncm)

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)

Adding the Qa-Not-Actionable for now.

QA Whiteboard: [qa-not-actionable]

This code waits for the blur event and then force browser to close original popup due to the page reload.

      function redirect(){
        location.href = "http://bind:port/path_site";
      }
  
      window.addEventListener("load", showPopup);
      window.addEventListener("click", closePopup);
      window.addEventListener("blur", redirect);

However, as Daniel said, this is not spoofing the browser UI and, as you've said, it's not linked to the specific padlock button and works for any blur.
There is nothing browser can do with regards to website trying to mimic browser UI here.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(sgalich)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: