Closed Bug 1865413 Opened 2 years ago Closed 1 year ago

(Android) web authn permissions dialog obscured fullscreen notification lead to spoof

Categories

(Firefox for Android :: WebAuthn, defect, P2)

Product:
Firefox for Android
Component:
WebAuthn
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: sas.kunz, Assigned: polly)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][group4][adv-main130-])

Attachments

(3 files)

video6251488954193808197.mp4
2.80 MB, video/mp4
Details
webauthn.html
5.34 KB, text/html
Details
2023_11_18_03_28_38.mp4
7.72 MB, video/mp4
Details

After fixing it at 1823316, I found that there was another permission dialog that blocked fullscreen notifications, namely the webauthn permission.

step to reproduces:

  1. open https://coral-shadowed-parrot.glitch.me/spoof.html
  2. click website

mozilla version: nightly 121.0a1
OS version: android 12

Flags: sec-bounty?

i updated the poc

step to reproduces:

  1. open https://coral-shadowed-parrot.glitch.me/spoof.html
  2. click on "setup webauthn" button
Attached file webauthn.html
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix
See Also: → CVE-2023-6870
Attached video 2023_11_18_03_28_38.mp4

Chrome also switches to fullscreen, but it shows their fullscreen warning at the bottom (very easy to miss) after the OS Auth UI goes away. The WebAuthn prompt is an OS prompt, not a Firefox one, but we do know that the promise is pending if that's useful. Or at least GeckoView does! It may not be available to the Fenix front end.

Keywords: csectype-spoof

The severity field is not set for this bug.
:jonalmeida, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jonalmeida942)
Severity: -- → S3
Priority: -- → P2
Flags: needinfo?(jonalmeida942)
Duplicate of this bug: 1871169
See Also: → CVE-2024-4766
See Also: → 1871217

Titouan's fix for bug 1874795 is expected to also fix this bug. Assigning this bug to Titouan as a reminder to test this bug's STR.

Assignee: nobody → tthibaud
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [group4]
Duplicate of this bug: 1883456

Priority P1 because this bug has been assigned to a squad/group.

Priority: P2 → P1
Duplicate of this bug: 1893622
See Also: → 1893622
Component: General → WebAuthn
See Also: → 1892296

Hello any updates?

Polly has been working on a proposal for a way to fix all those issues more reliably. We'll bring more details here as soon as we have some results.

Assignee: tthibaud → nobody
Priority: P1 → P2

Polly: did your fix for bug 1892296 also fix this one? They look like they're the same bug, although the movie in the newer bug that you fixed was slightly more convincing.

Flags: needinfo?(polly)

Unfortunately i think https://bugzilla.mozilla.org/show_bug.cgi?id=1892296 was only a partial fix. This bug has a subtly different timing sequence which means it is still an issue. (I retested this in ff v128 to check).

Flags: needinfo?(polly)
Depends on: CVE-2024-8388

i've retested this in the nightly (v130.0a1) and it looks like the fix for 1902996 has also resolved this.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Assignee: nobody → polly
status-firefox128: --- → wontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
Target Milestone: --- → 130 Branch
Flags: sec-bounty? → sec-bounty+

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group4] → [client-bounty-form][group4][adv-main130-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: