Clickjacking to allow permission using datepicker and pointerlock
Categories
(Toolkit :: PopupNotifications and Notification Bars, defect)
Tracking
()
People
(Reporter: sas.kunz, Assigned: hsohaney)
References
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [Fixed by Bug 1743329][adv-main128-])
Attachments
(4 files)
when activating pointerlock the cursor by default is in the middle of the screen and visible but using datepicker the pointer is visible and can interact so this can cause clickjacking
steps to reproduce:
- open vidk.html
2 click on "Choose Date" button - do many Click on "next month" button
Operating System : Windows 10
Firefox version : Firefox Nightly version 126.0a1 (2024-03-25) (64-bit)
|
||
Comment 2•2 years ago
|
||
Paul, can you take a look?
|
||
Comment 3•2 years ago
|
||
Harshit, can I forward this one to you?
|
Assignee | |
Comment 4•2 years ago
|
||
This looks reproducible on mac, but it's a bit buggy (it doesn't actually click allow on my machine). I will try it on a windows vm and confirm. Happy to take this!
|
|
||
Comment 5•2 years ago
|
||
The fact that it doesn't accept the click for up to 2 seconds is intended behavior and means the clickjacking protection is working. See https://searchfox.org/mozilla-central/rev/7bbc54b70e348a11f9cd12071ada2cb47c8a14e3/toolkit/modules/PopupNotifications.sys.mjs#1345-1346,1349,1351 for the code doing that.
What's unexpected / unwanted is the fact that when interacting with the date picker the cursor jumps to the allow button and it immediately accepts the prompt.
Clicks not going through for a bit after the prompt shows would be an acceptable solution. I'm curious why the code we added for pointerlock doesn't get triggered here.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 7•1 year ago
|
||
After bug 1743329, pointer lock is not allowed when xul popup is opened, so I think it also fixes this.
|
|
||
Updated•1 year ago
|
|
|
||
Comment 8•1 year ago
|
||
It would be worth checking whether this still works now that Bug 1743329 has been fixed.
|
|
Assignee | |
Comment 9•1 year ago
|
||
I tried reproducing on my vm, but could not reproduce anymore. Reporter, could you validate if this is still reproducible?
|
Reporter | |
Comment 10•1 year ago
|
||
I can still reproduce it on Firefox version 127.0 (64-bit) but on Firefox developer edition version 128.0b3 (64-bit) I can't reproduce it. Is it fixed in version 128?
|
|
Reporter | |
Comment 11•1 year ago
|
||
firefox 127.0
|
|
Reporter | |
Comment 12•1 year ago
|
||
firefox 128.0b3 (64-bit) developer edition
|
|
Reporter | |
Comment 13•1 year ago
|
||
in version >=128 when the choose date button is selected the pointerlock is not active (exit pointer lock) but in version 127 the pointerlock is still active
|
|
||
Comment 14•1 year ago
|
||
As per comment 8 Bug 1743329 most likely fixed this. That patch targets 128 (and later). Thanks for confirming!
|
||
Comment 15•1 year ago
|
||
Thanks for reporting this to us. Looks like someone else was faster here.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 16•1 year ago
|
||
Hello Have i get cve for this vulnerabilty?
|
|
||
Comment 17•1 year ago
|
||
No because this was part of another, previously reported bug.
|
|
||
Updated•1 year ago
|
Description
•