Closed Bug 1918853 (CVE-2024-10465) Opened 1 year ago Closed 1 year ago

Clipboard "paste" button persists across a tab open

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 132+ verified
firefox130 --- wontfix
firefox131 --- wontfix
firefox132 + verified

People

(Reporter: alisyarief.404, Assigned: tschuster)

References

(Regression)

Details

(4 keywords, Whiteboard: [client-bounty-form] [adv-main132+] [adv-esr128.4+])

Attachments

(6 files, 1 obsolete file)

repro_clipboard.webm
878.98 KB, video/webm
Details
repro_android.mp4
4.73 MB, video/mp4
Details
working testcase
1.21 KB, text/html
Details
Bug 1918853 - Mark the Paste contextmenu as tabspecific. r?emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1918853 - Mark the Paste contextmenu as tabspecific. r?emilio
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
advisory.txt
189 bytes, text/plain
Details
Attached video repro_clipboard.webm

When an HTML script is executed to open google.com, an alert appears asking the user to "Paste" clipboard content. If the user selects "Paste," the clipboard content is sent to the HTML script, which is located on a different domain. This raises potential concerns of UI spoofing and clipboard hijacking, as the prompt or notification for clipboard actions appears to come from a trusted domain like google.com, but is actually from a different domain.

This vulnerability could lead to UI spoofing and clipboard hijacking, where users may not realize that the notification originates from an unrelated source and their clipboard data could be sent to unauthorized parties.

Steps to Reproduce:

  1. Open : https://roomkangali.com/browser/0xClip/
  2. Click button Read Clipboard
  3. Observe that after the google.com page loads, an alert appears asking for "Paste" from the clipboard.
  4. Click "Paste" on the alert and check that the clipboard content is sent to the HTML script on a different domain.

Test in :

Firefox Nightly : 131.0a1 (2024-08-26) (64-bit)
OS : Ubuntu

Expected Result: Clipboard-related prompts or interactions should not appear on a domain different from the one that triggered the action. Clipboard actions should be performed transparently and should not mislead the user.

Actual Result: The "Paste" alert appears on the google.com page, and if the user selects "Paste," the clipboard content is sent to the HTML script located on a different domain. This can mislead users and open potential risks of data theft or misuse of personal information.

Flags: sec-bounty?
Attached video repro_android.mp4

Testing Browser Android work

Nightly Android : 132.0a1 (Build #2016044015)
Firefox Android : 130.0 (Build #2016041319)
OS : Android 14

Please attach a test case to this bug to aid triage. Thanks.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Flags: needinfo?(alisyarief.404)
Keywords: csectype-spoof
Product: Firefox → Core
Summary: UI Spoofing Clipboard Paste → Clipboard "paste" button persists across a tab open

I was able to reproduce this issue on MacOS.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file index.html (obsolete) —

this attachment script html

i test reproduce in windows and mac is work

Flags: needinfo?(alisyarief.404)
Attached file working testcase
Attachment #9424875 - Attachment is obsolete: true
Attachment #9424894 - Attachment mime type: text/plain → text/html

Tom noted this was an issue in bug 1916831 comment 2

Hsin-Yi, who is working on async clipboard stuff while Edgar is out? Thanks.

Flags: needinfo?(htsai)
Severity: -- → S2

(In reply to Andrew McCreight [:mccr8] from comment #7)

Hsin-Yi, who is working on async clipboard stuff while Edgar is out? Thanks.

:tschuster is the person that I immediately think about; however, I am not quite sure about Tom's recent bandwidth.

Hi Tom, would you be able to put up patches for this? I read that there's a solution per bug 1916831 comment 2. Thank you.

Flags: needinfo?(htsai) → needinfo?(tschuster)

I think I already found this issue and it's not directly bug 1916831 comment 2. The problem is that just like with the select dropdown (bug 1909163), we didn't mark the "Paste" context menu as "tabspecific". Thus it doesn't close when the current tab/location changes.

Flags: needinfo?(tschuster)
Assignee: nobody → tschuster
Status: NEW → ASSIGNED

That's not to say that we shouldn't also check the active flag at some earlier point, but in my quick testing browsingContext.isActive was true during confirmUserPaste.

This does not resolve the Firefox for Android issue, and I don't have any experience with that.

Assignee: tschuster → nobody
Status: ASSIGNED → NEW

(In reply to Tom Schuster (MoCo) from comment #11)

This does not resolve the Firefox for Android issue, and I don't have any experience with that.

Thank you for working on this. If this requires separate Fenix changes to fix the same test case, could you please file a new issue for that so we don't lose track of this? Thanks.

Flags: needinfo?(tschuster)
Assignee: nobody → tschuster
Status: NEW → ASSIGNED
Keywords: sec-low
Flags: needinfo?(tschuster)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4bb7cb20a56b Mark the Paste contextmenu as tabspecific. r=emilio

Set release status flags based on info from the regressing bug 1877400

status-firefox-esr115: --- → unaffected

That patch should apply cleanly to ESR128.

Attachment #9426087 - Flags: approval-mozilla-esr128?

Comment on attachment 9426087 [details]
Bug 1918853 - Mark the Paste contextmenu as tabspecific. r?emilio

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: It might be possible to trick users into leaking their clipboard contents, because the [Paste] button appears on a page they trust.

A simple fix.

  • User impact if declined: Users may accidentally expose their own private data.
  • Fix Landed on Version: 132
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): One line change, that follows other similar fixes for cross-tab spoofing with dropdowns/menus.

https://hg.mozilla.org/mozilla-central/rev/4bb7cb20a56b

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox132: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch

yes im testing in Desktop Firefox Nightly : Version 132.0a1 (2024-09-20) (64-bit)
this patch fix

just waiting fix Firefox Nightly on android

Thanks

Flags: sec-bounty? → sec-bounty+

Thank you for the reward and respect to the team for the fix, great work! 🙂
I have a questions, how long is the CVE release and payment ?

Are the planning CVE , if yes could you save credits as
Reporter credit: Kang Ali and Nur Fadhillah of Punggawa Cybersecurity

Thanks

Questions about the bug bounty program should be directed to security@mozilla.org and not put in bugzilla comments.

(This is however an appropriate place to specify the reporter credit.)

oke thanks Andrew

Do I have to contact security@mozilla.org or will security@mozilla.org contact me later?

(This is however an appropriate place to specify the reporter credit.)
how long is the CVE release ?

Thanks

Attachment #9426087 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+

Reproduced the initial issue using an old Nightly build from 2024-08-26, verified that using latest Firefox Beta 132.0b7 and latest 128ESR build across platforms (Windows 11, macOS 13 and Ubuntu 22.04) from treeherder the issues is no longer reproducible. The paste clipboard button does not appear anymore so the clipboard is not leaked anymore in the demo page.

Status: RESOLVED → VERIFIED
status-firefox132: fixedverified
status-firefox-esr128: fixedverified
Flags: qe-verify+
Whiteboard: [client-bounty-form] → [client-bounty-form] [adv-main132+] [adv-esr128.4+]
Alias: CVE-2024-10465
Group: core-security-release
See Also: → 1962874
Blocks: 2005080
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: