Closed Bug 1865465 Opened 1 year ago Closed 1 year ago

PopupNotifications Clickjacking: Bypass full screen prompt restrictions (Bug 1522120) and extended security delay (Bug 1857430)

Categories

(Toolkit :: PopupNotifications and Notification Bars, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1865914

People

(Reporter: sas.kunz, Unassigned)

References

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files, 1 obsolete file)

Attached video bandicam 2023-11-18 17-07-17-233.mp4 (obsolete) —

i found a vulnerability where user can fall for clickjacking to allow camera permission or other permissions

I tested on Firefox version : developer edition 120.0b9(64-bit)

steps to reproduce:

  1. Open clickjackingfirefox.html
    2 . Click on "To Play The Game Please Read Instruction" button then close/back to clickjackingfirefox.html page
  2. Click on "Click 2-3 times ................................." button 2-3 times

references :
https://bugzilla.mozilla.org/show_bug.cgi?id=1826116
https://bugzilla.mozilla.org/show_bug.cgi?id=1857430

Flags: sec-bounty?

this vulnerabilty is not only clickjacking but also the permission prompt can obscured the fullscreen notification

steps to reproduce:

  1. Open clickjackingfirefox.html
    2 . Click on "To Play The Game Please Read Instruction" button then close/back to clickjackingfirefox.html page
  2. Click on "Click 2-3 times ................................." button 2-3 times
Attachment #9364290 - Attachment is obsolete: true
Component: Security → Site Permissions
See Also: → CVE-2023-6206

The partial obscuring of the full screen notification doesn't seem like too much of an issue.

It seems like the clickjacking relies on the user leaving the permission prompt up for a long time which doesn't seem too realistic, and the user has to also keep clicking through the weird flashing from the full screen transition. That being said, it doesn't seem great that we move the prompt and it retains the activation time.

Keywords: sec-moderate

This bypasses leaving full screen when a permission prompt shows (Bug 1522120) and therefore also the extended security delay we would apply in this case (Bug 1857430).

See Also: → 1522120
Summary: Clickjacking of permission prompts for camera, microphone, etc → PopupNotifications Clickjacking: Bypass full screen prompt restrictions (Bug 1522120) and extended security delay (Bug 1857430)

Verified fixed by Bug 1865914. Tested on Nightly 122.0a1 (2023-12-03) (64-bit) on Windows 11.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1865914
Resolution: --- → DUPLICATE

hi pbz this bug has an ID earlier than 1865465 how do you say this is a duplicate

Flags: needinfo?(pbz)
Flags: needinfo?(dveditz)

i reported with id 1865465 it earlier than 1865914

Status: RESOLVED → REOPENED
No longer duplicate of bug: 1865914
Resolution: DUPLICATE → ---

I'm only duping this on Bug 1865914 since that's where the fix landed. This is done purely for practical reasons and doesn't have anything to do with bug bounty considerations. I'll make sure Dan is aware of that.

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Duplicate of bug: 1865914
Flags: needinfo?(pbz)
Resolution: --- → DUPLICATE
Component: Site Permissions → PopupNotifications and Notification Bars
Product: Firefox → Toolkit
Flags: needinfo?(dveditz)
See Also: → CVE-2023-32207
Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: