Android Firefox Nightly: OpenWith dialogs hide full screen notification allowing spoof
Categories
(Firefox for Android :: Browser Engine, defect, P1)
Tracking
()
People
(Reporter: proof131072, Assigned: polly)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][group4][adv-main130-])
Attachments
(3 files)
We are able to hide full screen notification to conduct spoofing attack using OpenWith dialogs, where impact is similar to this High Severity Chrome Full Screen Spoof issue https://issues.chromium.org/issues/40057591 since this is default notification and affect all users regardless of settings.
We're able to trigger this OpenWith dialog Multiple ways, most common ways are such like mailto: and geo: .
PoC demo: https://pwning.click/openwith.php
Updated•1 year ago
|
Comment 2•1 year ago
|
||
This POC is built on top of the "tapjacking the open external protocol" vulnerability but that's not really part of the problem being described here which would still be an issue (z-ordering between native prompts and our full-screen toast) when that is fixed.
Although people keep filing bugs on individual native prompts, I firmly believe these will all turn out to be duplicates with a single fix for all of them. Otherwise we're going to be playing whack-a-mole every time Android (or an OEM like Samsung) adds a new feature with a new prompt.
Comment 3•1 year ago
|
||
The severity field is not set for this bug.
:bclark, could you have a look please?
For more information, please visit BugBot documentation.
Comment 4•1 year ago
|
||
Assigning to Titouan because we this bug will be fixed by his fix for bug 1874795.
Comment 5•1 year ago
|
||
Priority P1 because this bug has been assigned to a squad/group.
Updated•1 year ago
|
Assignee | ||
Comment 6•1 year ago
|
||
looks like this one is now fixed too... the fullscreen notification appears on top of the "Open With" dialog
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 7•1 year ago
|
||
This bug will be referenced in the advisory for the fix (bug 1902996)
Updated•7 months ago
|
Description
•