Android- Select option hides fullscreen notification lead to spoof
Categories
(Firefox for Android :: General, defect, P3)
Tracking
()
People
(Reporter: sas.kunz, Assigned: polly)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main130-])
Attachments
(6 files, 2 obsolete files)
I found a vulnerability in firefox android where a select option can cover fullscreen notifications which can lead to spoofs. i tested after fixed: https://github.com/mozilla-mobile/firefox-android/pull/1133 ( https://bugzilla.mozilla.org/show_bug.cgi?id=1819254 )
steps to produce
- open http://103.186.0.20/fullscreenbkp4.html or firefox.html
- use left finger to tap the text box, use right finger to tap select option ,
OS: Android 12 (Samsung M31)
i attached the poc video files.
thank you
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
technically the toast is shown, but it's only a few frames in the video and easy to miss.
Drop out of fullscreen if someone uses select? fullscreen for <video> tags only! (ha ha only serious)
|
||
Updated•1 year ago
|
Is this still an issue? Apparently the firefox fullscreen notification comes above the "select option" dialog for me
Have you tried the second step in the first comment?
I can't access your video, I tried again in version 124 and it worked.
1.open http://103.186.0.20/fullscreenbkp4.html or firefox.html
2.use left finger to tap the text box at bottom of select option then use right finger to tap select option
Titouan, Polly, I know you guys are working on something very similar. Do you think your fix will resolve this issue as well?
|
Assignee | |
Comment 8•1 year ago
|
||
no, unfortunately i don't think our existing fixes will cover this use case.
I'm not actually able to repro this one on a Samsung S24 or a Pixel 8 (both on Android 14) - i see the full screen notification appear above the select dialog.
we can take a bit more of a look on some other devices next week.
|
||
Comment 9•1 year ago
|
||
I can't reproduce it either. I tried on a Samsung Galaxy Tab A (SM-T510), Android 11, Firefox Nightly 127.0a1. The "Entering fullscreen" snacbkar appears on top of the select dialog.
Hafiizh, can you still reproduce it?
|
Reporter | |
Comment 10•1 year ago
|
||
hi i can still reproduce it . i updated the poc::
- open selectopt.html or open http://103.186.0.20/selectopt.html
2.double tap on textbox
|
|
Reporter | |
Comment 11•1 year ago
|
||
i tested on my device samsung m31 (android 12) on firefox nightly version 127.0a1
|
|
Reporter | |
Comment 12•1 year ago
|
||
|
|
Reporter | |
Comment 13•1 year ago
|
||
|
||
Updated•11 months ago
|
|
|
||
Comment 14•10 months ago
|
||
Polly is working on a broader patch that might also fix this one. We need to re-test this STR after her patch has landed
|
|
Assignee | |
Updated•9 months ago
|
|
|
Assignee | |
Comment 15•9 months ago
|
||
retested on nightly 130.0a1, no longer reproducible
|
||
Updated•9 months ago
|
|
|
Reporter | |
Comment 16•9 months ago
|
||
I don't understand your fix again reappears the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1823316. Is there no solution to fix this bug?
|
|
Assignee | |
Comment 17•9 months ago
|
||
(In reply to Hafiizh from comment #16)
I don't understand your fix again reappears the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1823316. Is there no solution to fix this bug?
if i understand correctly, the linked issue is about a background thread "toast burst" attack in Android. This was fixed in Android 12, which was released in 2021. Since then there has been plenty of time for manufacturers of devices running lower than 12 to provide OS-level security patches against this vulnerability, and for users to apply security patches.
|
|
Reporter | |
Comment 18•9 months ago
|
||
what I mean is not comment 4 in this bug but comment 4 in the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1839074 and comment 6 of the bug https://bugzilla.mozilla.org/show_bug.cgi ?id=1839074 on comment 1 in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1839074 it says "Fenix for Android is vulnerable to a Fullscreen spoofing attack, where an attacker could launch the print() function in Fullscreen. Despite the victim seeing the Fullscreen toast notification, attempting to exit by using the back button or gestures only exits the print( ) screen and not Fullscreen, leaving the victim trapped in Fullscreen mode. This misleading exit from Fullscreen can be exploited by the attacker to display a spoofed page." and your fix should exit fullscreen mode when going to window.print and the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1839074 was created after the bug https://bugzilla.mozilla.org/show_bug.cgi? id=1823316 fixed
|
|
||
Updated•9 months ago
|
|
|
||
Comment 19•8 months ago
|
||
This bug will be referenced in the advisory for the fix (bug 1902996)
|
|
||
Updated•25 days ago
|
Description
•