Permission Dialog allows to conduct Full Screen Spoof attack without notification on Android Firefox Nightly
Categories
(Fenix :: General, defect)
Tracking
(Not tracked)
People
(Reporter: proof131072, Unassigned, NeedInfo)
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(5 files)
We can launch Permission Dialog such as camera, as soon as user enter to full screen mode resulting to hiding notification with full spoof.
- Steps to reproduce:
Open https://pwning.click/camfullnoti.php and tap on "CLICK TO PLAY" which will reproduce this bug.
- How to fix this issue
Let's check what Android Chrome does: Android Chrome would immediately exit full screen mode if any permission was requested and this is the ideal behaviour we want to see from Nightly.
|
||
Updated•1 year ago
|
(In reply to James Lee from comment #0)
- How to fix this issue
Let's check what Android Chrome does: Android Chrome would immediately exit full screen mode if any permission was requested and this is the ideal behaviour we want to see from Nightly.
Alternatively, we could show the notification above the permission dialog which is what Android Opera GX is doing.
Here are all needed files if you want to test on your server.
|
||
Comment 6•1 year ago
|
||
This prompt comes from the OS itself and for most permissions is only asked once, ever (unless the user chooses "only this time"). Sadly that means the more cautious/careful users are more at risk from this spoof than most other folks.
|
||
Comment 7•11 months ago
|
||
The severity field is not set for this bug.
:bclark, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Updated•11 months ago
|
|
|
||
Updated•11 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Updated•4 months ago
|
Description
•