Closed Bug 1873367 Opened 1 year ago Closed 1 year ago

The Drive link may obscure the fullscreen notification on the mobile browser.

Categories

(Firefox for Android :: Browser Engine, defect, P2)

Product:
Firefox for Android
Component:
Browser Engine
Version:
Firefox 121
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: nandorejal, Assigned: polly)

References

(Depends on 1 open bug)

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [client-bounty-form][group4][adv-main130-])

Attachments

(4 files)

drive.html
14.22 KB, text/html
Details
drive spoof.mp4
4.78 MB, video/mp4
Details
on chrome mobile.mp4
2.58 MB, video/mp4
Details
activate open links in apps.jpeg
30.23 KB, image/jpeg
Details
Attached file drive.html

I discovered a vulnerability and tested it on the Firefox Android browser (version 121.0.1, Build #2015995071). The Google Drive link popup can cover the fullscreen notification, potentially leading to user spoofing.

Requirements:

  1. Synchronize more than 7-8 Gmail accounts, ensuring that the popup effectively covers the fullscreen notification.
  2. Configure the browser to permit the opening of external applications. Access the Advanced Browser Settings, search for the option "open the link in the application" and select the "always" option.

Steps to reproduce:

  1. Open the exploit file.
  2. Click the button.
  3. Observe that the Gmail account popup covers the fullscreen notification.
Flags: sec-bounty?
Attached video drive spoof.mp4

And this is for the video proof of concept (POC)

Group: firefox-core-security → mobile-core-security
Component: Security → Browser Engine
Product: Firefox → Fenix
Version: unspecified → Firefox 121
Attached video on chrome mobile.mp4

After testing on another browser, such as Chrome, the fullscreen mode isn't triggered.

On desktop we leave fullscreen when the new tab opens.

I'm curious about the Chrome behaviour - from just seeing the screen recording, my guess would be that they consume the transient user gesture activation when the link is clicked to open the tab (in the background, in Chrome, apparently?) and then the request to go fullscreen is denied. But it's hard to be sure this is what's happening without being able to see the developer console for the browser at the same time or something. Edgar, do you know what's supposed to happen here?

Flags: needinfo?(echen)
Severity: -- → S3
Priority: -- → P2

Chrome consumes the user activation when clicking link that would open a new tab or external application, we probably would like to do the same, see bug 1877430.

Depends on: 1877430
Flags: needinfo?(echen)

Titouan's fix for bug 1874795 is expected to also fix this bug. Assigning this bug to Titouan as a reminder to test this bug's STR.

Assignee: nobody → tthibaud
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [group4]
Keywords: sec-low

Priority P1 because this bug has been assigned to a squad/group.

Priority: P2 → P1
Assignee: tthibaud → nobody
Priority: P1 → P2
Depends on: CVE-2024-8388

tested on nightly 130.0a1, not reproducible in this build.
The full screen notification appears on top of the other ui.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Assignee: nobody → polly
Group: mobile-core-security → core-security-release
status-firefox128: --- → wontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
Target Milestone: --- → 130 Branch

Is my report eligible for a CVE and a bounty?

Flags: needinfo?(polly)

hi, i don't think i can answer that question, sorry!
But I found this doc which talks about a form you can fill in to request a bounty, if that helps!

Flags: needinfo?(polly)

Could you please explain in more detail how this spoof works. We cannot reproduce this and the video seems to be showing a <select> hiding the notification and nothing related to drive.

Flags: needinfo?(nandorejal)

(In reply to Simon Friedberger (:simonf) from comment #10)

Could you please explain in more detail how this spoof works. We cannot reproduce this and the video seems to be showing a <select> hiding the notification and nothing related to drive.

You should set this to always first, and then reproduce my issue.

Flags: needinfo?(nandorejal)

(In reply to Rifa'i Rejal Maynando from comment #8)

Is my report eligible for a CVE and a bounty?

This is not eligible for a CVE because it was fixed as part of an implementation change (bug 1902296) that already has an overall CVE. This is just one way to demonstrate the flaw that was fixed, but CVEs are associated with fixes, not PoCs/symptoms.

As a spoof this is only limited because the preconditions are pretty strict. Most users who have only one Google account will never get this picker. If you continue on to the content and then come back to Firefox you appear to be dropped out of fullscreen. The only time I've reproduced the attack was if I clicked "cancel" on the multiple google account picker. But yes, we do think this should get a low bounty.

Flags: sec-bounty? → sec-bounty+

Hello Daniel, how can I claim my bounty?

Flags: needinfo?(dveditz)

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group4] → [client-bounty-form][group4][adv-main130-]

(In reply to Rifa'i Rejal Maynando from comment #13)

Hello Daniel, how can I claim my bounty?

I believe this has been addressed in mail since this request

Flags: needinfo?(dveditz)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: