Modals cover complete Omnibox when using multi window android feature
Categories
(Firefox for Android :: Browser Engine, defect)
Tracking
()
People
(Reporter: jayateertha043, Unassigned)
References
Details
(Keywords: csectype-spoof, reporter-external)
Attachments
(1 file)
|
220.04 KB,
image/jpeg
|
Details |
Screenshot_2024-05-07-23-39-57-092_org.mozilla.firefox.jpg
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Steps to reproduce:
- Open Firefox in one tab, Android calculator in another tab using Android OS muti window feature.
- In the Firefox tab, open https://brutelogic.com.br/xss.php/%22%3E%3Csvg%20onload=alert(1)%3E
- Alert Box will pop up covering entire omnibox as attached in screenshot.
Actual results:
Alert box crosses browser's line of death and covers the entire omnibox.
Ref: https://textslashplain.com/2017/01/14/the-line-of-death/
Expected results:
Alert box or any modal shouldn't cover the omnibox.
Note: Google Chrome works fine as intended, Issue happens only in Firefox (android).
|
Reporter | |
Comment 1•2 years ago
|
||
This issue will be more annoying and spoofable when modal pop up arises from a cross origin frame
|
|
Reporter | |
Comment 2•2 years ago
|
||
Hi team,
Kindly add sec-bounty flag for this issue.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 3•2 years ago
|
||
Hi Daniel,
I think needinfo flag is set.
Kindly remove if not required.
|
|
Reporter | |
Comment 4•2 years ago
|
||
Hi team,
Kindly let me know if this is under fix & severity assigned as similar issue reported in other browsers are also under fix.
|
|
||
Comment 5•2 years ago
|
||
Please paste links to the other browser issues if you know them. Even if the links are private they are useful references for us in asking our colleagues in other companies about them.
|
|
||
Comment 6•2 years ago
|
||
Since this is configured at the user's choice, and not very common for browsers, we don't believe this is a security issue that needs to be hidden. It's possible the GeckoView team will want to change our prompts to a "tab modal" in-content style as we do on desktop, which would address this issue.
|
|
Reporter | |
Comment 7•2 years ago
|
||
This is not only impacting user configuration, but devices with low screen resolution.
I managed to simulate low resolution device using multi window.
This is a security issue as per https://textslashplain.com/2017/01/14/the-line-of-death/
We do not overlap browser ui and html content in desktop browser whereas this is happening in mobile.
Even In Google Chrome (android), the alerts/modals are working correctly and do not hide omnibox.
|
|
Reporter | |
Comment 8•2 years ago
|
||
@dveditz
Also in comparison with desktops, just because user resizes a window doesn't mean html content can overlap with browser ui. Window resize is also a user configuration but treated as vulnerability in desktop.
This will affect devices with low screen resolution even without multi window.
I feel like this issue is opened in urgency without considering all the scenarios.
I cannot share the other browser ticket as other browser is not a popular one and has a private bugbounty program unlike popular ones.
|
|
Reporter | |
Comment 9•1 year ago
|
||
Hi @daniel/security team,
Can you reassess the vulnerability for security impact as it's a general browser guideline that html renderer ui element shouldn't overlap with browser contents.
Note: chrome isnt affected by this, have also tested few other smaller browsers which are also safe.
This doesn't depend on user configuration, devices with low resolution are also impacted.
I would be happy if security team reassess the report.
|
|
||
Comment 10•1 year ago
|
||
like bug 1859167, except using split screen to attack people with tall phones
(In reply to Jayateertha Guruprasad from comment #9)
Can you reassess the vulnerability for security impact as it's a general browser guideline that html renderer ui element shouldn't overlap with browser contents.
Yes, this is a bug. We don't believe this partial spoof needs to be hidden.
|
|
Reporter | |
Comment 11•1 year ago
|
||
As the modal/pop ups cover url, the victim doesn't know of the pop up is from browser or the os itself.
The modal can be used to spoof os related alerts as generally modas/any html content doesn't escape html content box not overlaps with browser ui.
Also, will severity like sec-low, sec-moderate or sec-high be assigned for this issue ?
is this eligible for bounty upon fix ?
|
||
Updated•1 year ago
|
|
|
||
Comment 12•1 year ago
|
||
We are not going to award a bounty for this. It's unfortunate UI but not a practical risk to most users
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 13•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Fenix::Browser Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Description
•