Closed Bug 1863852 Opened 1 year ago Closed 1 year ago

Show alert/confirm/prompt dialog on another website with secure padlock displayed

Categories

(Core :: DOM: Navigation, defect)

defect

Tracking

()

VERIFIED FIXED
122 Branch
Tracking Status
firefox-esr115 121+ verified
firefox119 --- wontfix
firefox120 --- wontfix
firefox121 + verified
firefox122 + verified

People

(Reporter: mccr8, Assigned: mccr8)

References

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main121-][adv-esr115.6-])

Attachments

(5 files)

This bug was originally filed by sourc7 in bug 1791283. I'm filing this for the specific issue as the bug has gotten rather long.

+++ This bug was initially created as a clone of Bug #1791283 +++

After call canvasElement.toBlob to initialize a lot of new Worker then redirect location.href to another website on cache and simultaneously call alert surprisingly the alert dialog message will appear in the target website with secure padlock displayed.

On the attached testcase I demonstrate I able to show alert message on https://www.example.com to trick the user that the site genuinely says the URL has been changed to a phishing site, and notice the user will be redirected automatically, then after a few seconds the page is redirected to a phishing site.

Tested on:

  • Firefox Nightly 106.0a1 (2022-09-17) (64-bit) on Arch Linux
  • Firefox Nightly 106.0a1 (2022-09-17) (64-bit) on Windows 11
  • Firefox 104.0.2 (64-bit) on Arch Linux
  • Firefox 104.0.2 (64-bit) on Windows 11

Steps to reproduce:

  1. Visit https://www.example.com to add site to cache
  2. Visit the attached testcase.simplified.html
  3. Click "Spoof" button

Expected results

The browser has navigated to https://www.example.com (as seen in the address bar), and there is no alert message dialog.

Actual results

The browser has navigated to https://www.example.com (as seen in the address bar), and the attacker's alert message dialog (the text starts with "We've migrated our login page to a new URL address") appears on top of the page.

Attachment #9362746 - Attachment description: testcase.simplified.html from bug 1791283 → testcase.simplified.html

Comment on attachment 9362747 [details]
Bug 1863852 - Return early from Prompt:Open if the window isn't current.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Probably not too difficult. It is clearly related to prompts for pages we've navigated away from. The worker spamming to get the timing right in the example is a bit odd but maybe that's standard.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: This code looks the same on ESR115 so it should be easy. Bug 1842936 also needs to be backported, but that's also trivial looking and the code hasn't changed.
  • How likely is this patch to cause regressions; how much testing does it need?: It doesn't seem too likely.
  • Is Android affected?: Unknown
Attachment #9362747 - Flags: sec-approval?
Flags: sec-bounty?

Comment on attachment 9362747 [details]
Bug 1863852 - Return early from Prompt:Open if the window isn't current.

Approved to land and uplift

Attachment #9362747 - Flags: sec-approval? → sec-approval+
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/92a36102ad36 Return early from Prompt:Open if the window isn't current. r=Gijs,smaug
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch

The patch landed in nightly and beta is affected.
:mccr8, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox121 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(continuation)
Attachment #9365047 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Is Android affected?: no
  • Steps to reproduce for manual QE testing: see comment 0
  • Risk associated with taking this patch: low
  • String changes made/needed: none
  • User impact if declined: sec-high
  • Fix verified in Nightly: yes
  • Code covered by automated testing: yes
  • Needs manual QE test: yes
  • Explanation of risk level: we just skip showing a prompt in a bad situation
Flags: qe-verify+
Attachment #9365048 - Flags: approval-mozilla-esr115?

Uplift Approval Request

  • Code covered by automated testing: yes
  • User impact if declined: sec-high
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Explanation of risk level: it just skips showing a dialogue in a bad case
  • Steps to reproduce for manual QE testing: see comment 0
  • Is Android affected?: no
  • Risk associated with taking this patch: low
  • String changes made/needed: none
Flags: needinfo?(continuation)

Comment on attachment 9365047 [details]
Bug 1863852 - Return early from Prompt:Open if the window isn't current.

Approved for 121.0b3

Attachment #9365047 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

I reproduced the initial issue using the steps from comment 0 and Firefox 104.0.1.
Verified using Firefox 121.0b3 and Latest Nightly 122.0a1 across platform (Windows 10, macOS 13.6 and Ubuntu 22.04) that the alert message dialog is still displayed the first time I use the testcase on a new profile but it will be closed in a second. Sometimes its closed instantly and barely can be seen but other times it will stay on the page for a second and then close (I think is dependent on how fast the example.com domain is loaded).
Is this acceptable to call it fixed?

Flags: needinfo?(continuation)

Comment on attachment 9365048 [details]
Bug 1863852 - Return early from Prompt:Open if the window isn't current.

Approved for 115.6esr.

Attachment #9365048 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

This "testcase.simplified" version of the bug 1791283 problem is indeed fixed now, but it does not appear to have fixed the original bug 1791283. It was assumed that it would which is why the rating on the old bug was downgraded to "sec-want", but since it didn't we're going to restore that one. In that view this bug is a subset of the other (showing "this site says" is worse than showing a wrong-domain alert) we aren't going to award a bounty here.

Flags: sec-bounty? → sec-bounty-
Keywords: sec-highsec-moderate

(In reply to Bogdan Maris, Desktop QA from comment #14)

I reproduced the initial issue using the steps from comment 0 and Firefox 104.0.1.
Verified using Firefox 121.0b3 and Latest Nightly 122.0a1 across platform (Windows 10, macOS 13.6 and Ubuntu 22.04) that the alert message dialog is still displayed the first time I use the testcase on a new profile but it will be closed in a second. Sometimes its closed instantly and barely can be seen but other times it will stay on the page for a second and then close (I think is dependent on how fast the example.com domain is loaded).
Is this acceptable to call it fixed?

Thank you for looking at this. It is okay for the dialogue to appear, as long as it only appears in front of the testcase.simplified.html and not example.com. When I try the test case for the first time, it looked like the dialog appeared briefly while the test case was loaded, but was never present at the same time as example.com was loaded. That's perfectly fine. Is that what you are seeing?

I should have specified that, and mentioned that there might be a difference in behavior between the initial load and the subsequent loads (but still with the dialogue never appearing in front of example.com), so thank you for catching that.

Flags: needinfo?(continuation)
Attached image 1863852_esr.gif

(In reply to Andrew McCreight [:mccr8] from comment #18)

(In reply to Bogdan Maris, Desktop QA from comment #14)

I reproduced the initial issue using the steps from comment 0 and Firefox 104.0.1.
Verified using Firefox 121.0b3 and Latest Nightly 122.0a1 across platform (Windows 10, macOS 13.6 and Ubuntu 22.04) that the alert message dialog is still displayed the first time I use the testcase on a new profile but it will be closed in a second. Sometimes its closed instantly and barely can be seen but other times it will stay on the page for a second and then close (I think is dependent on how fast the example.com domain is loaded).
Is this acceptable to call it fixed?

Thank you for looking at this. It is okay for the dialogue to appear, as long as it only appears in front of the testcase.simplified.html and not example.com. When I try the test case for the first time, it looked like the dialog appeared briefly while the test case was loaded, but was never present at the same time as example.com was loaded. That's perfectly fine. Is that what you are seeing?

I should have specified that, and mentioned that there might be a difference in behavior between the initial load and the subsequent loads (but still with the dialogue never appearing in front of example.com), so thank you for catching that.

Hello! Bogdan is on PTO so I took a look at this as well. Unfortunately, I can only see the behavior I think he is seeing on macOS 12 with latest nightly on a new profile: the dialog box appears after clicking the Spoof button for a brief time while loading the example.com (it appears on a blank page before the example.com is loaded). I will leave this question open for Bogdan as well when he returns back from PTO to describe what he is seeing.

I have also reproduced the issue by following STR from comment 0 with Firefox 121.0a1 (2023-11-08) on Windows 10x64. After clicking the Spoof button the dialog box will be displayed on the example.com page.
I can no longer see the dialog box after following the steps from comment 0 with Firefox 122.0a1 (2023-11-28) and 121.0b4 on Windows 10x64, macOS 12 and Ubuntu 22.1.

However, I can still reproduce the issue with Firefox 115.6esr build from treeherder (comment 16) on Windows 10x64 and macOS 12. For some reason I cannot on Ubuntu 22.1. This may be intermittent sometimes (repeating the steps on a new profile will eventually trigger it). Should we reopen this issue or file another one? Or this may be because this is a treeherder build? Attached a screen recording as well. Thank you!

Flags: needinfo?(continuation)
Flags: needinfo?(bmaris)

Ah, good catch. Yeah, this actually needs bug 1842936 to be landed on ESR for it to work. I meant to uplift it, but I guess I never got around to it. I did the uplift request now, so please retest once that has landed.

Flags: needinfo?(continuation)

(In reply to Andrew McCreight [:mccr8] from comment #18)

Thank you for looking at this. It is okay for the dialogue to appear, as long as it only appears in front of the testcase.simplified.html and not example.com. When I try the test case for the first time, it looked like the dialog appeared briefly while the test case was loaded, but was never present at the same time as example.com was loaded. That's perfectly fine. Is that what you are seeing?

That is correct, yes. Thanks for the explanation.

(In reply to Alexandru Trif, Desktop QA [:atrif] from comment #19)

However, I can still reproduce the issue with Firefox 115.6esr build from treeherder (comment 16) on Windows 10x64 and macOS 12. For some reason I cannot on Ubuntu 22.1. This may be intermittent sometimes (repeating the steps on a new profile will eventually trigger it). Should we reopen this issue or file another one? Or this may be because this is a treeherder build? Attached a screen recording as well. Thank you!

I used the latest ESR 115 build available on treeherder and I am seeing that is fixed there as well now across platforms (Windows 10, macOS 13.6 and Ubuntu 22.04). Closing as verified fixed.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: needinfo?(bmaris)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main121-]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main121-] → [reporter-external] [client-bounty-form] [verif?][adv-main121-][adv-esr115.6-]
See Also: → CVE-2024-1547

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: