Closed Bug 1916659 (CVE-2024-9397) Opened 1 year ago Closed 1 year ago

No clickjacking delay for the Directory Upload prompt

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 131+ verified
firefox130 --- wontfix
firefox131 + verified
firefox132 + verified

People

(Reporter: fazim.pentester, Assigned: emz)

References

Details

(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main131+][adv-esr128.3+])

Attachments

(7 files)

poc.html
738 bytes, text/html
Details
popup.html
2.55 KB, text/html
Details
demo.mp4
936.86 KB, video/mp4
Details
Bug 1916659, r=Gijs!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1916659, r=Gijs!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1916659, r=Gijs!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
advisory.txt
208 bytes, text/plain
Details
Attached file poc.html

Firefox has implemented delays to counter clickjacking attacks on various UI prompts. However, during testing, the directory upload prompt does not include this delay. An attacker could create an engaging website that involves a clicking game, where the user repeatedly clicks in the same location. This could trigger two prompts: one for the OS's directory upload (where the "Upload" button is preselected and active) and another Firefox prompt. Without a delay in the browser's prompt, the user could unknowingly upload all their files to the attacker's site. See demo.

I demonstrated this on a macOS machine, though the same prompt on Windows also lacks this security measure. While the Windows file chooser may appear in different areas depending on user last placement, the macOS prompt consistently opens in a predictable center location every time.

Steps to reproduce:

  1. Download the attached poc.html and popup.html files.
  2. Open the poc.html file in the latest macOS Firefox browser.
  3. Click on 'Play Game' and repeatedly click on the red button to see that the user's directory is unknowingly uploaded.
Flags: sec-bounty?
Attached file popup.html
Attached video demo.mp4

Video Demonstration.

The test case uses webkitdirectory in case that matters.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: File
Keywords: csectype-clickjacking
Product: Firefox → Core
Summary: Firefox did not implement a clickjacking delay for the Directory Upload prompt → No clickjacking delay for the Directory Upload prompt

Isn't this the same OS dialog as the normal single-file upload case? I don't know that we can implement a delay in that.

Not visible (to me) in your movie is the extra confirmation prompt about uploading the whole directory. That one's ours and does seem to be missing the delay.

Keywords: sec-moderate

This is about <input type=file>, not the File APIs

Component: DOM: File → DOM: Core & HTML

Do we know enough to set a severity on this :smaug?

Flags: needinfo?(smaug)
Severity: -- → S3
Flags: needinfo?(smaug)

Paul, is this something you might be interested in looking at? The setup is a bit janky, but if you pull it off it seems bad, and hopefully we have standard fixes for this thing. Thanks.

Flags: needinfo?(pbz)
Assignee: nobody → pbz
Status: NEW → ASSIGNED
Flags: needinfo?(pbz)
Attached file Bug 1916659, r=Gijs!
Attachment #9425579 - Attachment description: Bug 1916659 - Enable delay helper for folder upload confirmation prompt. r=Gijs! → Bug 1916659, r=Gijs!
Attachment #9425668 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: sec-moderate clickjacking issue that exposes files from the local machine
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: Low risk because the production code change is very simple.
  • String changes made/needed: no
  • Is Android affected?: no
Flags: qe-verify+

https://hg.mozilla.org/mozilla-central/rev/11c65ab69a2f

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox132: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch

Please nominate this for ESR128 also.

status-firefox-esr115: affectedwontfix
tracking-firefox131: --- → +
tracking-firefox132: --- → +
tracking-firefox-esr128: --- → 131+
Flags: needinfo?(pbz)
Flags: in-testsuite+
Attachment #9425668 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage] [qa-triaged]

I was able to reproduce this issue on macOS 13.2.1 using Fx 130.0 -> the "Upload" button from the Firefox prompt is already active(there is no delay before activating the button). The files can be uploaded by mistake on click.
Verified fixed on macOS 13.2.1 using the treeherder builds : Fx 131.0b9 and Nightly 132.0a1(2024-09-19) -> there is a delay(~3s) before activating the "Upload" button from the Firefox prompt.

Status: RESOLVED → VERIFIED
Attachment #9426121 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: clickjacking risk where users might involunarily expose a local directory and its files
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: small production code change
  • String changes made/needed: no
  • Is Android affected?: no
Flags: needinfo?(pbz)
Attachment #9426121 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

Verified fixed on macOS 13.2.1 using Fx 128.3.0 esr there is a delay(~ 2 - 3s) before activating the "Upload" button from the Firefox prompt.

QA Whiteboard: [post-critsmash-triage] [qa-triaged] → [post-critsmash-triage]
status-firefox-esr128: fixedverified
Flags: qe-verify+
Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main131+]
Whiteboard: [client-bounty-form][adv-main131+] → [client-bounty-form][adv-main131+][adv-esr128.3+]
Alias: CVE-2024-9397
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: