Closed Bug 1897648 Opened 1 year ago Closed 11 months ago

Android system permission prompts (camera, microphone) can hide fullscreen notification

Categories

(Firefox for Android :: General, defect, P2)

Product:
Firefox for Android
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox126 --- wontfix
firefox127 --- wontfix
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: fazim.pentester, Assigned: polly)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main130-])

Attachments

(3 files)

poc.html
889 bytes, text/html
Details
demo.mp4
1.11 MB, video/mp4
Details
Screenshot 2024-07-25 at 11.11.33.png
57.23 KB, image/png
Details
Attached file poc.html

Various Android system permission prompts, such as those for the camera and microphone, which are when called for the first time or when the user opts for 'ask every time, can be used to hide fullscreen notifications on Firefox for Android and can be exploited for spoofing.

Below, the proof of concept demonstrates two methods to hide fullscreen notifications: by triggering specific Android prompts, such as the microphone permission or file chooser Android permission (when called for the first time or when the user opts for 'ask every time')

Steps to reproduce:

  1. Download the poc.html file and host this file on an HTTPS server (use: https://test-ece44.web.app/firefox/full.html).
  2. Open the above hosted site in the latest Android Firefox browser, and click on "Go fullscreen". You will see that the permission hides the fullscreen notification. You can also test the input file permission as well; both do not exit fullscreen when called and can be used for spoofing.
Flags: sec-bounty?
Attached video demo.mp4
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix
Severity: -- → S3
Priority: -- → P2
Summary: Android system permission prompts can hide fullscreen notification → Android system permission prompts (camera, microphone) can hide fullscreen notification

We thought we fixed this in bug 1871217 in Firefox 126, but we apparently didn't (bug 1874795). This might end up being a dupe of bug 1874795, but let's fix that and see if this is covered.

Keywords: csectype-spoof, sec-moderate
See Also: → 1894326, 1871217

Hi Polly, I just tested this bug on the latest nightly version and noticed that the file selection no longer opens with fullscreen api. Can you check this aswell? Thanks.

Flags: needinfo?(polly)

yes, i think this is also fixed - see this screenshot where the fullscreen notification appears above the system permission prompt.
I'm also not getting a permission request for Browse... Maybe the permissions model has changed since this bug was raised, so it doesn't need to ask any more? I suspect all system permission dialogs would behave in a similar way, though.

Flags: needinfo?(polly)
Depends on: CVE-2024-8388
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Assignee: nobody → polly
Group: mobile-core-security → core-security-release
status-firefox126: affectedwontfix
status-firefox127: affectedwontfix
status-firefox128: affectedwontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
Target Milestone: --- → 130 Branch
Flags: sec-bounty? → sec-bounty+

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [client-bounty-form][adv-main130-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: