Closed Bug 1875630 Opened 2 years ago Closed 2 years ago

The autocomplete input form has the potential to hide the addressbar after exiting fullscreen, leading to user confusion and spoofing

Categories

(Toolkit :: Autocomplete, defect)

Product:
Toolkit
Component:
Autocomplete
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1828259

People

(Reporter: nandorejal, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

Omni.mov
7.37 MB, video/quicktime
Details
exploit.html
2.13 KB, text/html
Details
Firefox 122 beta.mov
3.74 MB, video/quicktime
Details
Firefox Nightly Proof.mov
5.54 MB, video/quicktime
Details
Attached video Omni.mov

Hello, I have identified a vulnerability in Firefox Browser Version (121.0.1) where the autocomplete feature in the input can conceal the omnibox after exit fullscreen, potentially leading to user confusion and spoofing.

Additional information :
I tested this on MacOs

Steps to reproduce:

  1. Open the exploit.html file.
  2. Follow the instructions on the page.

Actual result:
After exit fullscreen, the autocomplete feature in the input hides the omnibox.

Expected result:
The autocomplete feature in the input should be hidden after exit fullscreen.

Flags: sec-bounty?
Attached file exploit.html

This is for the exploit.html file

I can't reproduce the issue on Firefox 123 on MacOS. The test case doesn't look the same to me as the movie. It is missing the initial "Press / then Enter" directions, but instead starts on the "click me" state so maybe something is off there.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core

Edgar, does this sound like something we may have fixed already? I couldn't find anything in my autocomplete but maybe I was looking for the wrong thing. Thanks.

Flags: needinfo?(echen)

The spoof in the video looks good so we should investigate and figure out what is going on here. The steps required are a little odd it doesn't look super complex.

Severity: -- → S2
Attached video Firefox 122 beta.mov

This is my newly attached video evidence, tested on version 1.22. Just for your information, in case there's a message on the page saying 'press H, then press 'ESC,'' it might be beneficial to perform the action a bit more swiftly when in fullscreen mode. During my testing, I encountered the same issue where autocomplete didn't appear upon exiting fullscreen. I conducted a second test and found that triggering it

Summary: The autocomplete input form has the potential to hide the Omni Box after exiting fullscreen, leading to user confusion and spoofing of the user experience. → The autocomplete input form has the potential to hide the addressbar after exiting fullscreen, leading to user confusion and spoofing

I can mostly reproduce, except that for me the autocomplete is inside the content, not on top of the browser UI.

Note that I can't reproduce consistently, it does seem like the 'press H, the press ESC' needs to be time right.

After conducting further research, I have found that this proof of concept (PoC) is superior to my initial video PoC. I have identified a key factor influencing its reproducibility: it is essential to maximize the browser window before executing the PoC. In my latest video demonstration, I tested this on Firefox Nightly version 123.0a1 (64-bit) and it got vulnerable too. In the first step, I clicked on the 'green button' to maximize the browser window and then followed the instructions on the page. This adjustment makes the exploitation process significantly easier to trigger. And btw on the video have new potential issue that fullscreen notification obscured by autocomplete too

(In reply to Rifa'i Rejal Maynando from comment #8)

In the first step, I clicked on the 'green button' to maximize the browser window and then followed the instructions on the page. This adjustment makes the exploitation process significantly easier to trigger. And btw on the video have new potential issue that fullscreen notification obscured by autocomplete too

Thanks! Now I can consistently reproduce it when the browser goes into browser Full Screen mode first.
It seems that a focus change would cause autocomplete to close, but in such case, there is no focus change when entering/exiting DOM fullscreen.
Chrome seems also close autocomplete when window is resized, maybe we should also consider doing the same.

Flags: needinfo?(echen)

(In reply to Andrew McCreight [:mccr8] from comment #2)

I can't reproduce the issue on Firefox 123 on MacOS. The test case doesn't look the same to me as the movie. It is missing the initial "Press / then Enter" directions, but instead starts on the "click me" state so maybe something is off there.

Additional information: I have already uploaded the exploit on my website https://fullscripttest.000webhostapp.com/download.html, and the issue of missing 'Press / then Enter' has been fixed. This is an even better scenario.

I think this is a duplicate of bug 1828259.

Make sure to check it again; there might be a difference in the reproduction method.

(In reply to Rifa'i Rejal Maynando from comment #12)

Make sure to check it again; there might be a difference in the reproduction method.

The root cause is the same and bug 1837581 is also marked as duplicate of bug 1828259.

Group: dom-core-security → firefox-core-security
Component: DOM: Core & HTML → Autocomplete
Product: Core → Toolkit
Depends on: CVE-2024-5698
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2024-5698
Resolution: --- → DUPLICATE
Severity: S2 → --
Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: