Closed Bug 1928779 (CVE-2024-11703) Opened 10 months ago Closed 9 months ago

Password manager device lock PIN bypass in Firefox 132.0 for Android

Categories

(Firefox for Android :: Logins, defect, P1)

Product:
Firefox for Android
Component:
Logins
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox132 + wontfix
firefox133 + fixed
firefox134 + verified

People

(Reporter: yu270, Assigned: avirvara)

References

(Regression)

Details

(Keywords: regression, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main133+])

Attachments

(2 files, 1 obsolete file)

Bug 1928779: adapt screen content when device lock is bypassed SKIP_BMO_CHECK
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dveditz
: sec-approval+
Details | Review
advisory.txt
210 bytes, text/plain
Details

Firefox 132.0 on Android 15 allows a user to bypass the device lock PIN pop-up screen
and see all user passwords without entering the PIN.
The problem was found on a Pixel 8 with screen lock PIN in use and the "three button"
setting on the Android toolbar ("Back", "Home" and "Overview" buttons).
The "About Firefox" tab shows 132.0 (Build #2016051567).

Steps to reproduce:

  1. Open Firefox 132.0 on Android 15.
  2. On an empty tab, click the three-dot menu in the upper right corner.
  3. Select "Passwords".
  4. The screen that reads
    "Unlock your device

Unlock to view your saved passwords"
appears with an entry box, cursor and numerical keyboard.
5) Click the lower right "Overview" button (small square in shape).

Expected behavior: All running applications may be scrolled through, with the Firefox windows showing the "Unlock your device..." screen.
No passwords or websites are visible in Firefox.

Actual behavior: The "Unlock your device..." screen closes.
The Firefox window shows the "Saved passwords" page.
When clicking on Firefox to bring it to the foreground,
the Saved Passwords page is visible and individual sites may be selected,
revealing usernames and passwords.

The problem occurs in regular browsing or Incognito Mode.

Flags: sec-bounty?

The final sentence of the initial report should be "The problem occurs in regular browsing or private browsing mode."

On the same Android test device and software version,
the "Pattern" and "Password" screen lock settings can also be bypassed if enabled instead of "PIN."
The actual behavior is similar.

Follow steps 1, 2 and 3 in the initial report.

At step 4, the proper unlock screen appears for "Pattern" or "Password", like it does for "PIN."

Again in step 5, click the lower right "Overview" button.
The unlock screen disappears and the Saved Passwords page can be accessed without the unlock
pattern or password.

Group: firefox-core-security → mobile-core-security
Component: Security → Logins
Product: Firefox → Fenix
See Also: → 1928858

[Tracking Requested - why for this release]: seems like a bad security problem (possibly a regression?) that we appear to have at least two reports of (see bug 1928858) so it isn't a totally obscure thing.

status-firefox132: --- → affected
status-firefox133: --- → affected
status-firefox134: --- → affected
tracking-firefox132: --- → ?

[Tracking Requested - why for this release]: see comment 3

tracking-firefox133: --- → ?
tracking-firefox134: --- → ?

Alexendra, could somebody please investigate this? Thanks.

Flags: needinfo?(avirvara)

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true

The bug is marked as tracked for firefox132 (release), tracked for firefox133 (beta) and tracked for firefox134 (nightly). However, the bug still isn't assigned.

:avirvara, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(avirvara)
Assignee: nobody → avirvara
Severity: -- → S2
Flags: needinfo?(avirvara)
Priority: -- → P3

I can't reproduce this problem on Android 14. When I do the switch app thing (either via a gesture or via the square button, depending on how the navigation), the "Saved passwords" page does dismiss the fingerprint/PIN UI, but the page is completely black aside from the "Saved passwords" at the top, so the passwords are not visible.

Bug 1929017 has a video. In there, they switched away from the app by swiping up at the bottom of the screen to minimize the app. They said that it doesn't happen every time. I tried that method of switching away from the app, and I was able to reproduce on the first attempt on Android 14.

I found similar Firefox 132 behavior on Android 14 on a Pixel 5 (which reached end of Google support). Instead of swiping up like Andrew referred to in Bug 1929017, try the following:

Follow steps 1 through 4 in the original report for 1928779.
For step 5, click the Back button in the screen's lower left (small triangle) twice in rapid succession. This closes the lock screen UI unexpectedly and the Saved Passwords screen is visible.

The two clicks must be rapid, one after the other. And this is not a 100% reliable method to bypass the lock screen, in contrast to the original report about Android 15.

Keywords: sec-high

This feels pretty risky to take into a dot release in the next few days with minimal bake time. 133 seems like a better target.

status-firefox132: affectedwontfix

Adding a reminder that we are near the end of the beta cycle for Fx133. The last beta builds on Friday 2024-11-15. If this can make the last beta build it would need to be reviewed, get sec approval, landed, and get an uplift request by eod Thursday 2024-11-14.

If this doesn't make Fx133 beta/RC then we could take it in an Fx133 dot release but it might need some bake time and coordinated with sec approval.

(:boek this assigned to Alexandra but the patch is yours)

Flags: needinfo?(jboek)

Thanks for the heads up :dmeehan. Coordinating with Alexandra right now on the correct fix.

Flags: needinfo?(jboek)
Attachment #9436017 - Attachment is obsolete: true
Attachment #9437169 - Attachment description: WIP: Bug 1928779: do not allow users to bypass the device lock SKIP_BMO_CHECK → Bug 1928779: do not allow users to bypass the device lock

We have a total of nine duplicate bug reports of this one. I think we should reconsider the priority settings to better reflect reality (I am aware that this has patches already reviewed).

Status: NEW → ASSIGNED
Attachment #9437169 - Attachment description: Bug 1928779: do not allow users to bypass the device lock → Bug 1928779: adapt screen content when device lock is bypassed SKIP_BMO_CHECK
Duplicate of this bug: 1928858
See Also: 1928858
Priority: P3 → P1

Comment on attachment 9437169 [details]
Bug 1928779: adapt screen content when device lock is bypassed SKIP_BMO_CHECK

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: not so easy
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: nightly, beta - the status release flags reflect the state correctly
  • If not all supported branches, which bug introduced the flaw?: Bug 1904652
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: the patch only adds some restrictions when displaying some private lists. it has been tested by devs so far
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9437169 - Flags: sec-approval?

Comment on attachment 9437169 [details]
Bug 1928779: adapt screen content when device lock is bypassed SKIP_BMO_CHECK

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: the issue has been reported many times in a short time
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. Press 3-dot menu
  1. Press Passwords and observe the biometric authenticator dialog
  2. Send Fenix in background
  3. Bring Fenix back in foreground

Expected Results: the biometric authenticator dialog should be shown
Actual Results: the biometric authenticator dialog has disappeared and one can see the saved passwords list without authentication.

  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch doesn't change the main behaviour in what biometric authentication is concerned, it only adds some restrictions when displaying some private info when users put the app in the background or when they try to bypass authentication.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9437169 - Flags: approval-mozilla-beta?
Flags: qe-verify+

I am widening security bug access for this one to "release security", given that had some folks discuss this in various channels. There is little value in keeping this secret and I believe collaboration is easier without this as an unnecessary hurdle

Group: mobile-core-security → core-security-release

Comment on attachment 9437169 [details]
Bug 1928779: adapt screen content when device lock is bypassed SKIP_BMO_CHECK

sec=approval+, a=dveditz

It's pretty obvious what's wrong from the patch, but with as many duplicates as we got in a week it was apparently obvious enough without the patch. No concerns about landing.

Attachment #9437169 - Flags: sec-approval? → sec-approval+
Pushed by avirvara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7ea2889f55c4 adapt screen content when device lock is bypassed SKIP_BMO_CHECK r=boek,android-reviewers
Regressions: 1931423

https://hg.mozilla.org/mozilla-central/rev/7ea2889f55c4

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox134: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Verified as fixed on Nightly 134.0a1 from 11/15 with Google Pixel 8 Pro (Android 14), Samsung Galaxy S22 Ultra (Android 14), Samsung GalaxyZ Fold 4 (Android 14) and Xiaomi Redmi Note 8T (Android 11). Although the lock screen can still be dismissed by tapping the back button or with gestures, the Password screen no longer shows the saved passwords.

status-firefox134: fixedverified
Flags: qe-verify+

Comment on attachment 9437169 [details]
Bug 1928779: adapt screen content when device lock is bypassed SKIP_BMO_CHECK

Approved for 133.0 rc1

Attachment #9437169 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Following up to comment 31, Firefox Nightly version 134.0a1 is verified as fixed on the original test device (Pixel 8 running Android 15).
When sending Firefox to the background with the Overview button or with a gesture, the Saved Passwords screen no longer shows saved
usernames and passwords.

Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main133+]
Attached file advisory.txt

We've received so many duplicates of this issue I'm not sure how to assign credit. I simply put it as "Multiple Reporters". If we wanted to name names, we would need to decide if we wanted to do first report (not in line with out duplicate reporting policy), overlap window (confusing to those not in the window), or list every person (difficult to coordinate and obtain names of all reporters.)

I initially assigned the severity "sec-high" based on user emotion, but our guidelines limit the severity because this requires physical access to the victim's unlocked phone.

Keywords: sec-highsec-moderate
Flags: sec-bounty? → sec-bounty+
Regressions: 1932575
Alias: CVE-2024-11703
See Also: → 1938320
Duplicate of this bug: 1938320
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: