Android- Webshare dialog hides fullscreen notification lead to spoof
Categories
(Fenix :: General, defect, P1)
Tracking
(firefox125 wontfix, firefox126+ fixed, firefox127+ fixed, firefox132 verified)
People
(Reporter: sas.kunz, Assigned: pollymce)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group4][qa-triaged] [adv-main126+])
Attachments
(6 files, 1 obsolete file)
|
2.02 MB,
video/mp4
|
Details | |
|
945 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dveditz
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
338 bytes,
text/plain
|
Details | |
|
1.67 MB,
video/mp4
|
Details |
I found a vulnerability in firefox android where a webshare dialog can cover fullscreen notifications which can lead to spoofs.
steps to produce
- open http://103.186.0.20/webshare.html or webshare.html
- double tap on button
OS: Android 12 (Samsung M31)
steps to produce
- open https://103.186.0.20/webshare.html or webshare.html
- double tap on button
|
||
Updated•9 months ago
|
|
||
Comment 3•9 months ago
|
||
I'll mark this sec-high for now, but it kind of feels like the same basic issue as bug 1871217, because we've got a system prompt that is doing the overlapping.
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Comment 5•7 months ago
|
||
Titouan's fix for bug 1874795 is expected to also fix this bug. Assigning this bug to Titouan as a reminder to test this bug's STR.
|
Assignee | |
Comment 8•5 months ago
|
||
|
|
Assignee | |
Updated•5 months ago
|
|
|
Assignee | |
Comment 9•5 months ago
|
||
Comment on attachment 9398329 [details]
Bug 1871214 - improve share interaction with fullscreen
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It would be quite difficult. It's a one line change to exit fullscreen before the share dialog is shown and there is no indication in the code as to why we are doing that.
Even if a malicious actor figured out how to exploit this, it would be a lot of work to take advantage of it. They would need to build a website that perfectly mimicked the firefox android chrome. It would be difficult to get something web based that looked exactly like the android native ui components across a range of android OS versions and manufacturers, where there are a lot of visual differences. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all of these, and yes
- If not all supported branches, which bug introduced the flaw?: n/a
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: It's a very small change and we don't think it's very risky, but would be great to test a bit around sharing.
- Is the patch ready to land after security approval is given?: Yes
- Is Android affected?: Yes
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
|
||
Comment 10•5 months ago
|
||
Priority P1 because this bug has been assigned to a squad/group.
|
||
Comment 11•5 months ago
|
||
Why do we have the fullscreen toast buried at the bottom of the screen? If it were at the top it wouldn't be behind many of the OS permission prompts (though that could change on different Android versions). And on modern tall-and-skinny Android phones it's very easy to miss things happening at the other end of the phone from where your attention is. We don't want what is supposed to be an attention-grabbing notification playing wallflower near the edge of the screen—it could move more toward the center. And consider making the placement depend on where the user is interacting with the content and show the toast at the top or bottom according to which is closer to that interaction.
There's no OS where people double-click on buttons. The need for two clicks means you need to construct an engaging spoof and that limits the impact to those who will engage with the content; sec-high bugs require "normal web interaction". I'm lowering the severity here to sec-moderate.
|
|
||
Comment 12•5 months ago
|
||
Comment on attachment 9398329 [details]
Bug 1871214 - improve share interaction with fullscreen
sec-approval+ = dveditz
|
|
Assignee | |
Comment 13•5 months ago
|
||
Thanks Daniel for the update!
We could move the full screen notification message, we provide this ui in the Fenix code. However, on Android it is more common to get important system notification messages delivered to the bottom of the screen, as this is usually where a user's eyes and thumbs are focused - see material design docs here. So I am inclined to leave it where it is.
It's an interesting idea to place it based on where the user is interacting most with the content, but i'm not sure how we would best determine the location of maximal interaction, and i wonder if it would have as much impact if the notification moved between top or bottom of the screen.
I am hoping this is ok as you have already given sec approval but happy to discuss further if you would like!
|
||
Comment 14•5 months ago
|
||
|
||
Comment 15•5 months ago
|
||
|
||
Updated•5 months ago
|
|
||
Comment 16•5 months ago
|
||
The patch landed in nightly and beta is affected.
:pollymce, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox126towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 17•5 months ago
|
||
I think based on Daniel's comment above: https://bugzilla.mozilla.org/show_bug.cgi?id=1871214#c11
this probably doesn't require an uplift as it's been marked sec-moderate. But please chip in if you disagree!
|
|
Assignee | |
Updated•5 months ago
|
|
|
||
Comment 18•5 months ago
|
||
(In reply to Polly McEldowney [:pollymce] from comment #17)
I think based on Daniel's comment above: https://bugzilla.mozilla.org/show_bug.cgi?id=1871214#c11
this probably doesn't require an uplift as it's been marked sec-moderate. But please chip in if you disagree!
For security bugs, we aim to uplift them to beta so the delta of exposure is lowered. (difference in time landing in central to being released)
|
|
Assignee | |
Comment 19•5 months ago
|
||
ah ok - thanks for the clarification Donal! i'll sort that out now :)
|
|
||
Updated•5 months ago
|
|
|
Assignee | |
Comment 20•5 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D208465
|
|
Assignee | |
Comment 21•5 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D208465
|
||
Updated•5 months ago
|
|
|
||
Comment 22•5 months ago
|
||
beta Uplift Approval Request
- User impact if declined: sec bug would still exist
- Code covered by automated testing: no
- Fix verified in Nightly: yes
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: described in bug
- Risk associated with taking this patch: low
- Explanation of risk level: it's a small one line change
- String changes made/needed: no
- Is Android affected?: yes
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
||
Updated•5 months ago
|
|
|
||
Comment 23•5 months ago
|
||
| uplift | ||
|
||
Updated•5 months ago
|
|
||
Updated•5 months ago
|
|
||
Updated•5 months ago
|
|
|
||
Comment 24•5 months ago
|
||
|
|
||
Updated•5 months ago
|
|
||
Updated•4 months ago
|
|
|
||
Updated•11 days ago
|
|
||
Comment 25•7 days ago
|
||
Verified as fixed on the Fenix Nightly 132.0a1 from 9/23 with Google Pixel 6 (Andorid 15).
|
|
||
Updated•7 days ago
|
Description
•