Closed Bug 1884642 Opened 1 year ago Closed 1 year ago

Android Firefox Nightly: OpenWith dialogs hide full screen notification allowing spoof

Categories

(Firefox for Android :: Browser Engine, defect, P1)

defect

Tracking

()

RESOLVED FIXED
130 Branch
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: proof131072, Assigned: polly)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][group4][adv-main130-])

Attachments

(3 files)

Attached file openwith.html

We are able to hide full screen notification to conduct spoofing attack using OpenWith dialogs, where impact is similar to this High Severity Chrome Full Screen Spoof issue https://issues.chromium.org/issues/40057591 since this is default notification and affect all users regardless of settings.

We're able to trigger this OpenWith dialog Multiple ways, most common ways are such like mailto: and geo: .

PoC demo: https://pwning.click/openwith.php

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
Keywords: csectype-spoof
Product: Firefox → Fenix

This POC is built on top of the "tapjacking the open external protocol" vulnerability but that's not really part of the problem being described here which would still be an issue (z-ordering between native prompts and our full-screen toast) when that is fixed.

Although people keep filing bugs on individual native prompts, I firmly believe these will all turn out to be duplicates with a single fix for all of them. Otherwise we're going to be playing whack-a-mole every time Android (or an OEM like Samsung) adds a new feature with a new prompt.

Keywords: sec-high

The severity field is not set for this bug.
:bclark, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(brclark)

Assigning to Titouan because we this bug will be fixed by his fix for bug 1874795.

Assignee: nobody → tthibaud
Severity: -- → S2
Component: General → Browser Engine
Flags: needinfo?(brclark)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [group4]

Priority P1 because this bug has been assigned to a squad/group.

Priority: -- → P1

looks like this one is now fixed too... the fullscreen notification appears on top of the "Open With" dialog

Depends on: CVE-2024-8388
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Assignee: tthibaud → polly
Group: mobile-core-security → core-security-release
Target Milestone: --- → 130 Branch
Flags: sec-bounty? → sec-bounty+
Keywords: sec-highsec-moderate
Whiteboard: [reporter-external] [client-bounty-form] [verif?] [group4] → [client-bounty-form][group4]

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [client-bounty-form][group4] → [client-bounty-form][group4][adv-main130-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: