Closed Bug 1894891 Opened 1 year ago Closed 1 year ago

The Google password manager form overlaps fullscreen mode warnings, which could lead to address bar phishing.

Categories

(Firefox for Android :: Autofill, defect, P3)

Product:
Firefox for Android
Component:
Autofill
Version:
Firefox 127
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: Laraweron, Assigned: polly)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main130-])

Attachments

(4 files)

poc.html
1.55 KB, text/html
Details
video.mp4
1.03 MB, video/mp4
Details
video2.mp4
696.70 KB, video/mp4
Details
poc2.html
2.20 KB, text/html
Details
Attached file poc.html

When a user enters their login and password into the authentication form, a prompt appears suggesting to save their credentials. In my case, two prompts appear. If we add a fullscreen mode activation function to the authentication button, the browser will not block such behavior.

We can also implement a double-click on the button: the first click activates fullscreen mode, and the second click sends the authentication request. I can provide an example of such implementation upon request.

Flags: sec-bounty?
Attached video video.mp4
Group: firefox-core-security → mobile-core-security
Component: Security → Autofill
OS: Unspecified → Android
Product: Firefox → Fenix
Version: unspecified → Firefox 127

This appears to be a Google password saving dialog, not ours, which is a recent Android feature. It looks similar to the WebAuthn one when you can't read the text :-)

You can decline this so it would not affect every user, but it will probably be pretty popular if it does a decent job. It might show up if you're on a page where you've already saved a password. This attack seems to rely on the user entering a password on a page they have not saved a password for, which would be extremely unusual if it's the attacker's site. Maybe it's a phishing site and the user already thinks they're somewhere else, but then they've entered their password and you've already won. What's the value of spoofing fullscreen at that point?

Flags: needinfo?(tthibaud)
Keywords: csectype-spoof, sec-low
Summary: The password saving form overlaps fullscreen mode warnings, which could lead to address bar phishing. → The Google password manager form overlaps fullscreen mode warnings, which could lead to address bar phishing.
Attached video video2.mp4

I apologize for the poor implementation example, it is indeed a bad practice to ask users to enter their login and password on an unknown website. I have changed the code so that users no longer need to enter their login and password. I have also hidden the fields.

Attached file poc2.html

Ah, right. Thanks. I'll increase the rating.

Keywords: sec-lowsec-moderate
Severity: -- → S2
Priority: -- → P3

Polly has been working on a proposal for a way to fix all those issues more reliably. We'll bring more details here as soon as we have some results.

Flags: needinfo?(tthibaud)

The new patch for Nightly v130.0a1 seems to fix this bug.

Status: NEW → RESOLVED
Closed: 1 year ago
Depends on: CVE-2024-8388
Resolution: --- → FIXED
Assignee: nobody → polly
Group: mobile-core-security → core-security-release
status-firefox128: --- → wontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
Target Milestone: --- → 130 Branch
Flags: sec-bounty? → sec-bounty+

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [client-bounty-form][adv-main130-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: