Closed Bug 1908344 (CVE-2024-7523) Opened 1 year ago Closed 1 year ago

Tapjacking Permission (Camera, Location, Microphone, etc.) Using Select Option on Android

Categories

(Firefox for Android :: Browser Engine, defect)

Product:
Firefox for Android
Component:
Browser Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 + fixed
firefox130 + fixed

People

(Reporter: fazim.pentester, Assigned: amejia)

References

Details

(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][fxdroid][adv-main129+][qa-triaged])

Attachments

(7 files, 2 obsolete files)

poc.html
3.52 KB, text/html
Details
demo.mp4
2.93 MB, video/mp4
Details
Test without delay Firefox Beta.jpg
259.08 KB, image/jpeg
Details
Bug 1908344 - Improve prompts showing
48 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review
Bug 1908344 - Add tests for prompt improvements
48 bytes, text/x-phabricator-request
Details | Review
Bug 1908344 - Improve prompts showing
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
advisory.txt
273 bytes, text/plain
Details

When the Select option is delayed and called simultaneously with the permission prompt, the selection option is rendered on top of the permission prompt's security UI. Consequently, a malicious website can trick the victim into double-tapping the selection option, inadvertently allowing the permission prompt in the background.

Without a delayed trigger for the select option, the permission prompt opens on top of the select option, which is visible to the user. However, a delay could bypass this by rendering the select option on top of the permission prompt, obscuring the security prompt. Therefore, a possible fix should block the select option or any similar prompt from rendering, even after a delay, when a permission prompt is open.

Flags: sec-bounty?
Attached file poc.html

Steps to Reproduce:

  1. Download the following poc.html file.
  2. Host the poc.html file on an HTTPS server.
  3. Open the hosted HTTPS site in the beta version of the Firefox browser for Android and start testing.

Alternatively, for testing, you can also visit this HTTPS link: https://test-ece44.web.app/tjack/firefox-issue.html

Attached video demo.mp4

Video Demonstration.

Group: firefox-core-security → mobile-core-security
Component: Security → Browser Engine
Product: Firefox → Fenix
See Also: → CVE-2024-6605

If we remove the delay and call showPicker(); without any setTimeout(), the permission prompt is shown on top of the select option properly (with visible website URL and the allow and deny buttons). Test: https://test-ece44.web.app/tjack/firefox-nodelay.html

See Also: → CVE-2025-1940

Why didn't the fix for bug 1836786 prevent this?

Flags: needinfo?(amejiamarmol)
Keywords: csectype-clickjacking, sec-high

I'm taking a look, I'll get back as soon as possible.

Flags: needinfo?(amejiamarmol)

Why didn't the fix for bug 1836786 prevent this?

It prevents it, but it depends on how long takes the user to click the Select Option. As the permission prompt timer starts from when it first shown, until the user hit the allow button. If the user is fast and clicks both before it times out, the permission won't be granted, but if the user is slow and takes more than the timeout to interact with Select Option, the allow button will be enable in the permission prompt, which is what is shown in the video demo.

To prevent this and any similar attacks we could deny any permission prompt, that is showing while another prompt is on top.

Assignee: nobody → amejiamarmol
Whiteboard: [client-bounty-form] → [client-bounty-form][fxdroid]

Ideally these prompts would not be obscured / would be always on top. Alternatively if it is obscured and becomes visible again the security delay should reset. In practice this isn't easy to do and also something we're struggling with on Desktop side. We often resort to hiding / blocking other panels while a permission prompt is showing.

Thanks for the desktop context, is there a valid use case to keep prompts always on top of each other?

Flags: needinfo?(pbz)

The permission doorhangers driven by PopupNotifications on desktop are never shown at the same time. PopupNotifications queues them and only shows one at a time. When the prompt is shown the timer for the security delay starts.
We do have prompts on desktop (not PopupNotifications) that can be stacked on top of each other. In that case we only start the timer when the prompt gets focused. Only the top most prompt can get focused.

Hope that helps!

Flags: needinfo?(pbz)

Thanks for all the context really appreciate it. On Android not all prompts are aware of each other presents, which makes coordination challenging, for the moment, I think going with the approach of preventing other prompts while a permission dialog is already showing is a suitable solution for now, in the future we will need to do a larger refactor to unify prompts showing.

Comment on attachment 9413610 [details]
Bug 1908344 - Improve prompts showing

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Very unlikely
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, and release
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: No likely
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9413610 - Flags: sec-approval?

Depends on D216996

Flags: needinfo?(dveditz)

Comment on attachment 9413610 [details]
Bug 1908344 - Improve prompts showing

sec-approval+ = dveditz

Please don't land the tests until a few weeks after we ship the release.

If you need a different differential to check in the beta uplift do it soon. Final beta builds on desktop start Friday morning (the 26th) and that's probably the same for Fenix (not sure, we don't ship as many betas on mobile)

Attachment #9413610 - Flags: sec-approval? → sec-approval+
Flags: needinfo?(dveditz) → in-testsuite?
Whiteboard: [client-bounty-form][fxdroid] → [reminder-test 2024-08-26][client-bounty-form][fxdroid]
Pushed by amejiamarmol@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/619c4aece5a4 Improve prompts showing r=android-reviewers,Roger

https://hg.mozilla.org/mozilla-central/rev/619c4aece5a4

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox130: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Hi QA team!
Could you help us to validate if this issue have been addressed?
Thanks in advance!

Flags: qe-verify+

The patch landed in nightly and beta is affected.
:amejia, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(amejiamarmol)
Status: RESOLVED → REOPENED
Flags: needinfo?(amejiamarmol)
Resolution: FIXED → ---
Attachment #9414860 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Users will be impacted by the sploit
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: Low
  • Explanation of risk level: We are preventing any other prompt request when a permission prompt is active, this is an edge case as site don't try to ask for permissions at the same time they show another prompt.
  • String changes made/needed: n/a
  • Is Android affected?: yes
Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED
Attachment #9414860 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED
Regressions: 1910373
Whiteboard: [reminder-test 2024-08-26][client-bounty-form][fxdroid] → [reminder-test 2024-08-26][client-bounty-form][fxdroid][adv-main129+]
Whiteboard: [reminder-test 2024-08-26][client-bounty-form][fxdroid][adv-main129+] → [reminder-test 2024-08-26][client-bounty-form][fxdroid][adv-main129+][qa-triaged]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt (obsolete) —
Attachment #9417348 - Attachment is obsolete: true
Attached file advisory.txt
Attachment #9417359 - Attachment is obsolete: true
Alias: CVE-2024-7523
Flags: sec-bounty? → sec-bounty+

Given the contortions of the testcase this one should have been rated moderate, not high.

Keywords: sec-highsec-moderate

Seems fair. Creating a long select option with clickjackable colored boxes was all I could do :p . Thanks for the fix and the bounty :).

a month ago, dveditz placed a reminder on the bug using the whiteboard tag [reminder-test 2024-08-26] .

amejia, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(amejiamarmol)
Whiteboard: [reminder-test 2024-08-26][client-bounty-form][fxdroid][adv-main129+][qa-triaged] → [client-bounty-form][fxdroid][adv-main129+][qa-triaged]

Patch rebased and getting ready to be landed

Flags: needinfo?(amejiamarmol)
Pushed by amejiamarmol@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ae9c552ce4bd Add tests for prompt improvements r=android-reviewers,Roger
Group: core-security-release
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: