Open Bug 1859167 Opened 2 years ago Updated 1 year ago

Tall prompt() dialog can hide the Firefox UI, allowing site spoofing

Categories

(Firefox for Android :: Browser Engine, defect, P3)

Product:
Firefox for Android
Component:
Browser Engine
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: proof131072, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

testcase
187 bytes, text/html
Details
Screenshot_20240526-045638_Firefox Nightly.jpg
116.11 KB, image/jpeg
Details

We are able to cover browser UI including address bar on Android Firefox with this issue.

PoC:

<iframe src="data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuIiwgIkUtTWFpbCAvIFBhc3N3b3JkIik7PC9zY3JpcHQ+");>

Flags: sec-bounty?

Bug 1859168 and bug 1859169 are the equivalent bugs for Android Focus and iOS Focus.

Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix

They all have slightly different behaviours, I'll explain them in the near future. Btw, iOS is for Firefox not Focus :)

(In reply to James Lee from comment #2)

They all have slightly different behaviours, I'll explain them in the near future. Btw, iOS is for Firefox not Focus :)

Is the explanation somewhere else, or is "near future" still in the future? :-)

It's a bit hard to tell from this report what is going on and/or how the three bugs relate, given you claim they have different behaviours.

Flags: needinfo?(proof131072)
Severity: -- → S3
Component: General → Browser Engine
Priority: -- → P3
Summary: Android Firefox UI Security Issue → Tall prompt() dialog can hide the Firefox UI, allowing site spoofing

This could be more useful when it's used together with other bugs which are on the list of to be reported. Android ff / focus / iOS ff all differs from that perspective. Sorry for late and thanks for summarising this.

Flags: needinfo?(proof131072)
Attached file testcase

POC decoded is

<script>prompt("\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n", "E-Mail / Password");</script>'

It doesn't cover anything on my Samsung Galaxy, but that's pretty tall. If I turn the phone sideways it does cover part of the address bar. But it's obvious that it's covering it, and you can't do anything while the prompt is open. Maybe on a shorter phone it would be more likely to work, or with more newlines. Don't really see how this spoofs anything.

So maybe there's a building block to a spoof here that we're not seeing, but there's clearly no actual spoof yet in this bug

Status: NEW → RESOLVED
Closed: 1 year ago
Keywords: csectype-spoof
Resolution: --- → INCOMPLETE
See Also: → 1895568
Group: mobile-core-security
Flags: sec-bounty? → sec-bounty-

This works by just adding more \n which leads to spoof since we are able to hide the origin of dialog the URL bar.

There are still some PoCs and ideas I haven't shared which I'll decide if I'm going to include in this report or add on the other bug report I'll send in.

(In reply to Daniel Veditz [:dveditz] from comment #6)

But it's obvious that it's covering it, and you can't do anything while the prompt is open.

You can type in the prompt, I think? So the latest screenshot would presumably use this to ask for an email or password without it being obvious to the user what origin was doing the asking.

I'm not convinced this is particularly problematic but I figured we should at least consider the new information rather than leaving this closed, so reopening.

Status: RESOLVED → REOPENED
Flags: needinfo?(dveditz)
Resolution: INCOMPLETE → ---

ok

Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: