Clickjacking to allow permission via popup (window.open) and webauthn OS dialog (Windows)
Categories
(Toolkit :: PopupNotifications and Notification Bars, defect, P1)
Tracking
()
People
(Reporter: sas.kunz, Assigned: emz)
References
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main126+] [adv-ESR115.11+] )
Attachments
(13 files, 1 obsolete file)
|
3.43 MB,
video/mp4
|
Details | |
|
3.52 KB,
text/html
|
Details | |
|
286 bytes,
text/html
|
Details | |
|
1.13 MB,
video/mp4
|
Details | |
|
352.58 KB,
video/x-m4v
|
Details | |
|
30.70 KB,
image/png
|
Details | |
|
2.63 MB,
video/mp4
|
Details | |
|
374.22 KB,
image/png
|
Details | |
|
9.96 MB,
video/mp4
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
|
196.50 KB,
image/png
|
Details | |
|
3.56 KB,
text/html
|
Details | |
|
198 bytes,
text/plain
|
Details |
webauth-doorhanger.png
I found a clickjacking vulnerability to allow permission using window open.
steps to reproduce:
- open https://coral-shadowed-parrot.glitch.me/clickjack.html or open clickjack.html
- Click on "Go to Game" button
- Do Triple Click
Operating System : Windows 10
Firefox version : Firefox Nightly version 126.0a1 (2024-03-18) (64-bit)
|
||
Comment 3•11 months ago
|
||
Paul, can you take a look?
|
||
Comment 4•11 months ago
|
||
triple-click is weird, and a site telling me to do it is suspicious. I'm sure this would be successful against some people, but not enough of them to get a sec-high rating.
|
Assignee | |
Comment 6•11 months ago
•
|
||
I can't reproduce this issue on Windows 11. Probably because the auth prompt isn't persistent, it moves to the background when I click the Firefox window. Currently setting up a Windows 10 machine to try to reproduce it there.
|
|
Assignee | |
Comment 7•11 months ago
•
|
||
I've also tested it on Windows 10 (with all updates applied) on Nightly and Firefox release. I still don't see the modal that's shown in the video. Instead I see this doorhanger.
Reporter do you know if there is there any system or Firefox setting I need to change in order to see the modal? I'm curious if this is an edge case with a specific security device and a specific configuration state.
Hi Paul, can you try again? I have changed the delay of the popup window
|
Reporter | |
Comment 10•11 months ago
|
||
Hi Paul, if the first try fails then do the cancel button on the webauth dialog and refresh the webpage and do a second try. I tried it on two different notebooks and it worked, no additional configuration. i do both using windows 10
|
|
Assignee | |
Comment 11•11 months ago
|
||
I don't think the permission prompt in Firefox is the reason I can't reproduce. Your Windows installation seems to show a setup prompt for your security key. Do you have security keys attached or are you using some other device like a TPM chip or a webcam with Windows Hello?
My suspicion is that the prompt changes how the Firefox window is focused and thus causes issues with the security delay. I can get the prompt to show up in Windows 11, but there it seems to get moved into the background when I click on the Firefox window.
John, do you know under which circumstances this Windows key setup prompt shows up? I'm trying to trigger it in a Windows 10 VM.
|
||
Comment 12•11 months ago
|
||
Paul, assuming you're using a fresh profile, you shouldn't see that doorhanger unless your Windows 10 version is less than 1903 (19H1). The other possibility is that you've set security.webauth.webauthn_enable_softoken to true.
I see the security key setup modal on Windows 10 22H2, but I wasn't able to reproduce the clickjacking example.
|
|
Assignee | |
Comment 13•11 months ago
•
|
||
Thanks!
I've double checked and installed all the updates. My Windows 10 VM is on Version 10.0.19045 Build 19045.
I get the Firefox doorhanger on both Nightly and Release with fresh profiles - no Windows prompt.
Is there anything else I could try, e.g. enable logging to see why we fall back to what I assume is the software token?
Edit: Do I need to have a TPM attached to the VM for the OS prompt to show?
Edit2: Passing in my TPM to the VM does not change anything.
|
|
||
Comment 14•11 months ago
•
|
||
You could break on EnsureWinWebAuthnModuleLoaded (parent process) and see where it fails. I know some VMs intercept webauthn.dll so that they can redirect WebAuthn requests to the host, so it's possible that you aren't using the standard Windows webauthn.dll.
|
|
Reporter | |
Comment 16•10 months ago
|
||
hi paul i am trying to add time on
this part
setTimeout(function() { var w = window.open( "https://coral-shadowed-parrot.glitch.me/game1.html", "Popup", "resizable,scrollbars,status" ) }, 170);
I tried setting it to 1 and the permissions didn't appear then I changed it by increasing the delay time to 100 and it didn't work and I changed it to 170 and it worked. you can try adding or subtracting the time delay. Try it on your local server, maybe this is a race condition
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 17•10 months ago
|
||
Didn't mean to clear the NI. I'm currently setting up a Windows 10 dedicated machine to see if it reproduces there.
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 18•10 months ago
•
|
||
I can reproduce on my Windows 10 installation! Suprisingly I can run one from a usb drive. The security delay is not extended because no "activate" event seems to fire when the main window is focused while the "Security key setup" prompt is shown.
The "activate" event is handled by the PopupNotifications code here and normally would extend the security delay.
Edit: I think the real problem here is that normal clicks on the main Firefox window don't go through (because the Windows prompt takes exclusive focus) but the PopupNotification can still be clicked.
|
||
Comment 19•10 months ago
|
||
(As per some local debugging, the window seems to think it's still active)
|
|
Assignee | |
Comment 20•10 months ago
•
|
||
Thanks for the help Emilio! I've filed Bug 1890835 for the panel appearing on top of other windows, which most likely makes it clickable even though the windows prompt is open. Maybe fixing that bug will resolve the sec issue too.
Edit: It appears that this was a bug with my local profile. Potentially caused by some prefs I had not reset from testing. The PopupNotification is not on top when testing with a fresh profile. But it can still be clicked even when the window is in modal state.
|
|
Assignee | |
Comment 21•10 months ago
|
||
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 22•10 months ago
|
||
I've attached a patch that resolves the issue by blocking pointer events to the PopupNotifications panel when the window is not active. I've confirmed this resolves the bug by testing the PoC on my Windows 10 installation. The Windows security key setup prompt deactivates the Window and it only gets activated again once the prompt has been closed.
Thanks to :emilio for the help and the CSS rule idea!
|
|
Assignee | |
Comment 23•10 months ago
|
||
Hafiizh, I want to make sure you're aware that the code you're sharing via glitch is publicly accessible. I'm not sure how discoverable it is, but when I go to your profile I can see all your public projects, including the one you used for the PoC here. I'd recommend to keep the PoC private.
|
|
Reporter | |
Comment 24•10 months ago
|
||
I have archieved the code. To reproduce The poc open clickjack.html to your local server.
|
||
Comment 25•10 months ago
|
||
|
||
Comment 26•10 months ago
|
||
|
||
Updated•10 months ago
|
|
||
Comment 27•10 months ago
|
||
The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox126towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 28•10 months ago
|
||
Comment on attachment 9396195 [details]
Bug 1886082, r=emilio,Gijs
Beta/Release Uplift Approval Request
- User impact if declined: sec-moderate clickjacking issue affecting permission prompts, only affects Windows 10.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: https://bugzilla.mozilla.org/show_bug.cgi?id=1886082#c0
May need to adjust the placement of the button so it lines up with the permission prompt "accept" button.
From my testing this does not reproduce in VMs. You need a bare metal Windows 10 installation.
Please also do some smoke testing on Windows, macOS and linux to make sure permission prompts still work as expected and the accept / deny buttons can be clicked. You can use https://permission.site for testing.
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): The code change is quite small, but there is risk that we break permission prompts. While we don't have automated test coverage for the bug's POC, permission prompts have pretty good test coverage generally.
- String changes made/needed:
- Is Android affected?: No
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: It's a sec-moderate, no particular case for ESR consideration.
- User impact if declined: see beta-uplift request
- Fix Landed on Version: 127
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): see beta-uplift request
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Updated•10 months ago
|
|
||
Comment 29•9 months ago
|
||
Comment on attachment 9396195 [details]
Bug 1886082, r=emilio,Gijs
Approved for 126.0b7
|
|
||
Comment 30•9 months ago
|
||
| uplift | ||
|
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Comment 31•9 months ago
•
|
||
Comment on attachment 9396195 [details]
Bug 1886082, r=emilio,Gijs
Approved for 115.11esr.
|
|
||
Comment 32•9 months ago
|
||
| uplift | ||
|
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
||
Comment 33•9 months ago
|
||
I encountered an unexpected error while trying to access the link provided in Comment 0 and unfortunately, I'm unable to reach https://coral-shadowed-parrot.glitch.me/clickjack.html. When attempting to open the clickjack.html page directly, I encountered the same error on coral-shadowed-parrot.glitch.me/game1.html. I've attached the error message for reference.
@Hafiizh, could you please confirm if this test case is still accessible and functional on your end?
|
|
Reporter | |
Comment 34•9 months ago
|
||
I have deleted it in public based on comment #22
|
|
Reporter | |
Comment 35•9 months ago
|
||
i updated the poc. open clickjakx.html
|
|
Reporter | |
Comment 36•9 months ago
|
||
|
|
||
Comment 37•9 months ago
|
||
@Hafiizh, thank you for the test case provided.
I've replicated this issue with Nightly 126.0a1 on Windows 10 x64 following the STR from Comment 0 and Comment 10.
Verified as fixed in the latest Nightly 127.0a1 and Firefox 126.0b7 versions on the same configuration, as the issue no longer occurs.
|
|
||
Comment 38•9 months ago
|
||
I am no longer able to reproduce this issue in Firefox 115.11.0esr on Windows 10. As a result, I've updated the flag to indicate this.
|
|
||
Comment 39•9 months ago
|
||
(In reply to Hafiizh from comment #34)
I have deleted it in public based on comment #22
It's good the developer confirms their own fix, but it doesn't count as a verification until someone independently confirms (like QA) :-)
|
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Comment 40•9 months ago
|
||
|
||
Updated•9 months ago
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•5 months ago
|
Description
•