1863083 - (CVE-2024-0750) Clickjacking to allow permission using window.moveTo in a popup

Status: VERIFIED FIXED

(Toolkit :: PopupNotifications and Notification Bars, defect, P1)

Description

[Hafiizh]

Attachment: bandicam 2023-11-04 04-40-56-944.mp4

i found a vulnerability where user can fall for clickjacking to allow permission

I tested on Firefox version 120.0b4 (64-bit)

steps to reproduce:

1. open clickjacknew.html then click open button
2. Click the "click 3 fastly" button fastly.

Comment 1

[Hafiizh]

Attachment: clickjacknew.html

Comment 2

[Hafiizh]

Attachment: permissionshow_new.html

Comment 3

[Emma Zühlcke [:emz]]

Looks like another bug with the security delay. That belongs into PopupNotifications.

Comment 4

[Emma Zühlcke [:emz]]

Sorry, didn't mean to set priority.

Comment 5

[Daniel Veditz [:dveditz]]

Hadn't really thought about the approach Paul suggested in comment 3, but yeah: restart the clock if the window is moved.

I thought these prompts went away when users clicked outside them -- that would mostly resolve this.

Don't allow window.moveTo() (or resize()) anymore (we have a pref for that).

If we can't get rid of those actions, disallow them if there's a permission prompt showing?

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:hjones, could you have a look please?

For more information, please visit BugBot documentation.

Comment 7

[:Gijs (he/him)]

Hanna can't see all the other sec bugs; Paul should probably look at this in terms of prioritization once bug 1865914 is fixed.

Comment 8

[Emma Zühlcke [:emz]]

Attachment: Bug 1863083, r=Gijs

Comment 9

[Emma Zühlcke [:emz]]

Attachment: Bug 1863083 - Test, r=Gijs

Depends on D196309

Comment 10

[Pulsebot]

Pushed by pzuhlcke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/abd5d595d329
r=Gijs

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/abd5d595d329

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Please create a rebased patch for ESR115 and nominate it for approval when you get a chance.

Comment 13

[Emma Zühlcke [:emz]]

Attachment: Bug 1863083 - ESR, r=Gijs

Comment 14

[Emma Zühlcke [:emz]]

Comment on attachment 9371050 [details]
Bug 1863083 - ESR, r=Gijs

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: See comment 12
• User impact if declined: Clickjacking vulnerability of permission prompts (geolocation, camera, etc).
• Fix Landed on Version: 122
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Small code change that already had some bake time in Fx122.

Comment 15

[Donal Meehan [:dmeehan]]

Comment on attachment 9371050 [details]
Bug 1863083 - ESR, r=Gijs

Approved for 115.7esr.

Comment 16

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/068365f6b942

Comment 17

[Daniel Bodea [:danibodea]]

To attempt reproduction in Windows 10, I've downloaded the test pages locally, opened permissionshow_new.html in (affected builds) Release v121.0, Beta v121.0b6 and DevEdition v121.0b1, then clicked on the "Open" button, then 3 fast clicks on the "Click 3 fastly" button. Unfortunately, this exploit could not be reproduced because the window would move too low after the first click, causing to place of the other 2 clicks on the small window's Title Bar instead of the "allow" button from the Permission request dialog. This would cause the small window to maximize.

Unfortunately, the same behavior can be observed in Nightly v123.0a1 and Beta v122.0b6.

Are there any preconditions to this reproduction steps? What could I be missing?

Thank you!

Comment 18

[Daniel Bodea [:danibodea]]

I meant to leave NI for the assignee, not the reporter. I apologize.

Comment 19

[Emma Zühlcke [:emz]]

This one is tricky to reproduce since the PoC code relies on specific screen dimensions. I managed to reproduce it by adjusting the popup window coordinates until the buttons lined up. You can try that too by updating the coordinates (top, left, bottom, right) in the window.open call in clickjacknew.html. Let me know if that works for you.

Comment 20

[Daniel Bodea [:danibodea]]

I have modified the test page so that the issue reproduces on my screen size in Release v121.0 and ESR v115.6.0esr and then I used the same test page in Beta v122.0b6 and Nightly v123.0a1. It would appear that the permission buttons are not "activated" even though clicks fall on the "Allow" button, however, a button feedback can be observed. If the user wants to allow this permission, he will have to move the mouse before clicking the button again.
This fix behaves the same in ESR v115.7.0esr (treeherder build).

All considered, this issue is verified in Windows 10.

Comment 21

[Emma Zühlcke [:emz]]

Awesome, thank you!

Comment 22

[Jesse Schwartzentruber (:truber)]

Attachment: advisory.txt

Comment 23

[Emma Zühlcke [:emz]]

NI for landing the test.

Comment 24

[Phabricator Automation]

Comment on attachment 9368457 [details]
Bug 1863083 - Test, r=Gijs

Revision D196310 was moved to bug 1879850. Setting attachment 9368457 [details] to obsolete.

Comment 25

[Daniel Veditz [:dveditz]]

Making Firefox 122 security bugs public. [bugspam filter string: Pilgarlic-Towers]