Firefox external protocol handler prompt is vulnerable to clickjacking
Categories
(Firefox :: File Handling, defect, P2)
Tracking
()
People
(Reporter: fazim.pentester, Assigned: Gijs)
References
Details
(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main124+][adv-esr115.10+])
Attachments
(6 files)
Opening a popup and initiating protocol URI on a hidden window; an attacker can lure the vicitim to clickjack the protocol handler prompt to allow the protocol unknowingly.
Steps to reproduce:
- Download index.html and popup.html to a folder.
- Open the index.html and start testing.
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Comment 2•1 year ago
|
||
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
This prompt could be using shared code with the other vulnerable prompts... might be a duplicate in the end. But it's also possible the prompt was simply made following the same style guidelines.
|
||
Comment 4•1 year ago
|
||
The severity field is not set for this bug.
:Gijs, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Reporter | |
Comment 5•1 year ago
|
||
Hi, friendly ping.
|
|
Assignee | |
Comment 6•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
This prompt could be using shared code with the other vulnerable prompts... might be a duplicate in the end. But it's also possible the prompt was simply made following the same style guidelines.
The prompt is already using the shared enable delay helper, but the delay helper doesn't detect that the dialog is opened inside a window that is inactive, and so the initial prompt delay expires while the popup window is obscuring the dialog. Then a focus event would re-enable the delay, but that focus event doesn't arrive before the click on the button, but after.
The straightforward fix is to make the enable delay not start "ticking" if the focus target's window is not the active window. This will keep the button disabled if the dialog/window is opened in the background.
The somewhat scary thing here is that this will affect all the consumers of the shared enable delay helper... and I don't know off-hand if there are edgecases where this wouldn't work well.
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 9•1 year ago
|
||
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 10•1 year ago
|
||
For just the protocol handler prompt this is not that severe a problem, but since it affects other prompts as well this is a good solid find.
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 11•1 year ago
|
||
Thank you.
|
||
Comment 12•11 months ago
|
||
Do we want this on ESR115 also? Please nominate if so - it grafts cleanly.
|
|
Assignee | |
Comment 13•11 months ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
Do we want this on ESR115 also? Please nominate if so - it grafts cleanly.
I'd want this to bake on release at least for a bit before uplifting as I'm nervous we inadvertently break something here. Focus management is always finnicky/surprising. Ask me again 4 weeks after 124 has been released? :-)
|
||
Updated•11 months ago
|
|
||
Comment 15•11 months ago
|
||
I am attempting to reproduce this issue in Windows10 and MacOS11, but the protocol handler prompt does not appear on the first window when the "Open Popup" button is clicked in an affected build (Release v122.0.1 or v123.0.1 or Nightly v124.0a1 from 2024-01-28). It would appear as if the test page is not working correctly.
@Gijs: Do you know why this happens? Is there some precondition I might be missing out on? Thank you.
|
|
Reporter | |
Comment 16•11 months ago
|
||
(In reply to Daniel Bodea [:danibodea] from comment #15)
I am attempting to reproduce this issue in Windows10 and MacOS11, but the protocol handler prompt does not appear on the first window when the "Open Popup" button is clicked in an affected build (Release v122.0.1 or v123.0.1 or Nightly v124.0a1 from 2024-01-28). It would appear as if the test page is not working correctly.
@Gijs: Do you know why this happens? Is there some precondition I might be missing out on? Thank you.
In the above proof-of-concept, I have used the VSCode protocol handler, so the victim should have installed the VSCode editor as a precondition for this exploit to work. However, there are other protocol handlers that support various applications or OS features.
|
|
Assignee | |
Comment 17•11 months ago
|
||
(In reply to Daniel Bodea [:danibodea] from comment #15)
I am attempting to reproduce this issue in Windows10 and MacOS11, but the protocol handler prompt does not appear on the first window when the "Open Popup" button is clicked in an affected build (Release v122.0.1 or v123.0.1 or Nightly v124.0a1 from 2024-01-28). It would appear as if the test page is not working correctly.
@Gijs: Do you know why this happens? Is there some precondition I might be missing out on? Thank you.
I think comment 16 answered this but if not please let me know.
|
|
||
Comment 18•11 months ago
|
||
|
|
||
Comment 19•11 months ago
|
||
I can confirm the issue, more exactly, I can confirm that the dialog can be "accidentally" confirmed if the second click falls on the confirmation button, in Nightly v124.0a1 from 2024-02-12. Furthermore, I can confirm the fix. This fix disabled the button in the first moments of the window being focused so it does not allow the user to click it. This behavior helps exclude the "accidental" second click. This fix has been verified in Windows 10 and MacOS 11.
|
||
Updated•11 months ago
|
|
|
||
Comment 20•11 months ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 21•11 months ago
|
||
Fixing up flags.
|
|
||
Comment 22•10 months ago
|
||
Circling back to this, how are we feeling about an ESR backport?
|
|
Assignee | |
Comment 23•10 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D200165
|
|
||
Updated•10 months ago
|
|
|
||
Comment 24•10 months ago
|
||
esr115 Uplift Approval Request
- User impact if declined: sec-moderate
- Code covered by automated testing: no
- Fix verified in Nightly: yes
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: see earlier comments in the bug
- Risk associated with taking this patch: Low-ish
- Explanation of risk level: , small change that has baked on release for a bit now
- String changes made/needed: No
- Is Android affected?: no
|
|
Assignee | |
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
||
Comment 25•10 months ago
|
||
| uplift | ||
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
|
||
Comment 26•10 months ago
|
||
I have also confirmed the fix in ESR v115.10.0esr on Windows 10 and MacOS 11. The behavior after the fix is described in comment 19.
|
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•5 months ago
|
Description
•