1866592 - Clickjacking of permission prompts for camera, microphone, geolocation via full screen +window popup

Status: RESOLVED DUPLICATE of bug 1865914

(Toolkit :: PopupNotifications and Notification Bars, defect)

Description

[Hafiizh]

Attachment: bandicam 2023-11-25 06-18-38-079.mp4

i found a vulnerability where user can fall for clickjacking to allow location permission

I tested on Firefox version 122.0a1 (2023-11-22) (64-bit)

steps to reproduce:

1. Open clikjak.html
2. Quickly click the "Click fastly" button without moving the mouse then the location permission will be allowed

Comment 1

[Hafiizh]

Attachment: clikjak.html

Comment 2

[Hafiizh]

Attachment: clickjackingfirefox2.html

Comment 3

[Emma Zühlcke [:emz]]

The PoC does not work on my machine. The prompt does not appear at the mouse cursor position. Looking at the code and the video this is yet another bypass of the extra security delay added in Bug 1857430. This time the popup requests a permission during a full screen transition.

While the method of getting a full screen transition overlap is slightly different, one could argue that this is effectively a dupe of Bug 1865914, Bug 1867192, Bug 1865465 or Bug 1866210. Gijs, what do you think? At what point should we treat it as a dupe? Should we treat all bugs that create a race condition between full screen transition and PopupNotification as one bug?

The patches in Bug 1865914 fix this bug.

Comment 4

[:Gijs (he/him)]

I'd dupe to bug 1865914 because it's almost the same issue and the patch there fixes it.

Comment 5

[:Gijs (he/him)]

Should we treat all bugs that create a race condition between full screen transition and PopupNotification as one bug?

I'd say yes - at least the ones that got filed after our first attempt to fix that issue, where then it got pointed out it wasn't fixed yet (obviously those should not be duped to the previous unsuccessfully-fixed bug!)

Comment 6

[Hafiizh]

If the fix is ​​the same as bug 1865914, isn't my bug Bug 1865465 earlier than 1865914

Comment 7

[Daniel Veditz [:dveditz]]

At what point should we treat it as a dupe? Should we treat all bugs that create a race condition between full screen transition and PopupNotification as one bug?

As described above they are the same ("a race condition") and a single fix covers them. The other bugs might be interesting for test cases as ways to trigger the race condition, but it's all one bug unless your "single fix" is special casing each different feature (which it isn't).

Important: only dupe if you prove that fix does fix them! Now that we have the patch you can do that. Before you have a patch, if we're in the "we THINK these will be fixed by..." stage then security bugs should use "depends on" instead.

Comment 8

[Hafiizh]

I dont know i cannot access bug 1865914 because on my other report https://bugzilla.mozilla.org/show_bug.cgi?id=1866592 on comment 4. Its said dupe of 1865914.

Comment 9

[Hafiizh]

(In reply to Daniel Veditz [:dveditz] from comment #7)

At what point should we treat it as a dupe? Should we treat all bugs that create a race condition between full screen transition and PopupNotification as one bug?

As described above they are the same ("a race condition") and a single fix covers them. The other bugs might be interesting for test cases as ways to trigger the race condition, but it's all one bug unless your "single fix" is special casing each different feature (which it isn't).

Important: only dupe if you prove that fix does fix them! Now that we have the patch you can do that. Before you have a patch, if we're in the "we THINK these will be fixed by..." stage then security bugs should use "depends on" instead.

if single fix covers them.it should the is bug 1865914 is depend on 1865465 because i reported earlier

Comment 10

[Emma Zühlcke [:emz]]

Duping since the fix landed in Bug 1865914.

The PoC is really hard to reproduce on machines with even slightly different screens / resolutions, because of how the button position is set. I had to change the popup position to left=1200 to make it work on my machine. I've verified that Bug 1865914 fixes the clickjacking issue on Nightly 122.0a1 (2023-12-03) (64-bit) on Windows 11.