Intent dialog tapjacking using Select option
Categories
(Firefox for Android :: General, defect, P2)
Tracking
()
People
(Reporter: fazim.pentester, Assigned: Tara)
References
Details
(4 keywords, Whiteboard: [client-bounty-form] [fxdroid][adv-main136+][adv-main141-])
Attachments
(6 files)
On Firefox for Android, using a delayed select option dialog, we could cover the intent dialog with custom attacker content and tapjack the victim into unknowingly launching any Android intent.
Steps to Reproduce:
1 . Download the file poc.html to a folder
2. Start a Python server on the same folder by running the command python -m http.server 8080.
3. Open the Android Firefox browser and navigate to the server at http://{YOUR-SERVER-IP}:8080/poc.html to Begin testing.
|
Reporter | |
Comment 1•1 year ago
|
||
While reporting this issue, I am aware of the previously reported Bug 1836921, but I believe both are different (different fix!). While Bug 1836921 straight-up tapjacks the dialog, this bug uses a select option overlay to cover it. Therefore, we require extra measures to prevent such vulnerability.
|
|
Reporter | |
Comment 2•1 year ago
|
||
Video Demonstration.
|
|
Reporter | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
Almost certainly the fix for bug 1836921 (add a delay protection to that dialog) will function the same here and fix this too, but I'm OK with making this "depend on" that one in the off chance that for some reason the select doesn't restart the timer.
|
||
Updated•1 year ago
|
|
|
||
Comment 4•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
Almost certainly the fix for bug 1836921 [will] fix this too
Of course I also thought bug 1909298 should have been fixed by bug 1836786 and that didn't work out. Watch out for minor timing differences when trying to fix timing-based attacks :-(
Before jumping into implementing anything, I'd like to brainstorm the best way to prevent against this. Do you think delaying the selection is the way to go here? Frankly I can't think of a clever way to resolve this.
|
|
Reporter | |
Comment 6•6 months ago
|
||
Delaying the selection process is one potential approach. Alternatively, we could completely restrict the selection from opening until the user grants permission for the intended action. Once the user is done with intent, they would then be allowed to access the selection option.
Another approach involves detecting whether the intent dialogue is in focus. If it becomes unfocused due to the selection option or any other dialogues, we can reset the timer. This ensures that the user can interact with the selection option and proceed with the intent after a respectful delay, effectively preventing tapjacking.
|
|
Reporter | |
Comment 7•6 months ago
|
||
Another way is to always show important dialogues, like the intent dialogue, in the foreground if possible, while less important ones open in the background.
Now weβve got four options:
- Delay the selection process to give the user more time.
- Completely block new dialogues, like the selection option, from popping up while the intent dialogue is active.
- Allow the prompt to open on top, but reset the timer for the hidden dialogue when it regains focus after losing it.
- Always keep important dialogues, like the intent dialogue, focused on top/foreground if possible.
|
|
Reporter | |
Comment 8•6 months ago
|
||
Option 2 is similar to how most interactions I've seen are handled in browsers. I think doing this on Android as well would prevent two dialogues from opening at once. Instead, only one dialogue would open at a time per click/tap, and the first one would consume the user's activation (in a single tap). After that, it would require an additional explicit click/tap from the user to open the next dialogue.
Thanks for your input and ideation here Shaheen!
Completely block new dialogues, like the selection option, from popping up while the intent dialogue is active.
I think this is the best solution to move forward with.
|
Assignee | |
Updated•6 months ago
|
|
|
Assignee | |
Comment 10•6 months ago
|
||
|
|
Assignee | |
Comment 11•6 months ago
|
||
|
||
Comment 12•6 months ago
|
||
|
||
Comment 13•6 months ago
|
||
|
|
||
Updated•6 months ago
|
|
||
Comment 14•6 months ago
|
||
The patch landed in nightly and beta is affected.
:tjorjani, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox136towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 15•6 months ago
|
||
Letting this ride the trains since it is S3
|
|
||
Comment 16•6 months ago
|
||
(In reply to Tara Jorjani [:tjorjani] from comment #15)
Letting this ride the trains since it is S3
:tjorjani though it's an S3, it's a secbug with sec-moderate rating. We should still uplift this?
:dveditz if you have anything to add?
|
|
Assignee | |
Comment 17•6 months ago
|
||
(In reply to Donal Meehan [:dmeehan] from comment #16)
(In reply to Tara Jorjani [:tjorjani] from comment #15)
Letting this ride the trains since it is S3
:tjorjani though it's an S3, it's a secbug with sec-moderate rating. We should still uplift this?
:dveditz if you have anything to add?
I don't have a strong preference, I'm good with uplifting it. I will wait a bit first to see if :dveditz has something to say.
|
|
||
Updated•6 months ago
|
|
|
Assignee | |
Comment 19•6 months ago
•
|
||
Comment on attachment 9463591 [details]
Bug 1908488 - Improve dialogs.
Beta/Release Uplift Approval Request
- User impact if declined/Reason for urgency: This is a security bug with a sec-moderate rating. This patch contains the fix to prevent attackers from being able to tapjack victims by having them unknowingly launch any Android intent.
- Is this code covered by automated tests?: Not included currently, but automated tests will be landed later.
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
1 . Download the file poc.html to a folder
- Start a Python server on the same folder by running the command python -m http.server 8080.
- Open the Firefox for Android browser and navigate to the server at http://{YOUR-SERVER-IP}:8080/poc.html to begin testing.
- Click on "Test Intent"
- Verify that only the intent dialog appears
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a small patch that adds a simple condition affecting when the prompt dialog can be shown. In addition, the automated testing for this patch would be landed soon.
- String changes made/needed: None
- Is Android affected?: Yes
|
|
Assignee | |
Updated•6 months ago
|
|
|
||
Comment 20•6 months ago
|
||
Comment on attachment 9463591 [details]
Bug 1908488 - Improve dialogs.
Approved for 136.0b6
|
|
||
Comment 21•6 months ago
|
||
| uplift | ||
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Updated•5 months ago
|
|
|
||
Comment 22•5 months ago
|
||
|
||
Updated•5 months ago
|
|
|
||
Comment 23•4 months ago
|
||
|
||
Comment 24•4 months ago
|
||
|
|
||
Updated•20 days ago
|
|
||
Updated•20 days ago
|
|
||
Comment 25•13 days ago
|
||
Verified on the latest Firefox for Android versions: 141.0 build 1, Beta 141.0b9, and Nightly 142.0a1 from 7/17, with a Samsung Galaxy S24 (Android 15) - I've attached a short video with the behavior.
Please let us know if there is enything else or different we should test.
|
|
||
Updated•13 days ago
|
|
||
Updated•10 days ago
|
Description
•