key event for "Enter / Return" can be captured by content event listeners when focus is in the menubar

RESOLVED WONTFIX

Status

()

RESOLVED WONTFIX
8 years ago
6 years ago

People

(Reporter: temp82, Unassigned)

Tracking

({sec-low})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

If there is event listener on website, with specified action for keyCode == 13 (Enter/Return key) it will be executed even if user is in urlbar, searchbar, menubar, sidebar etc. and press there Enter/Return key to open something.
This action might be for example simple redirection: document.location.href = 'http://evil-site.tld'; - and it will be executed if user tries to open bookmark using keyboard or types something in address bar and hits Enter (even if he selects address suggested by "AwesomeBar"). Also using Enter key somewhere in menubar will lead to listener's code execution.
It can be used for phishing or to make users to visit others malicious websites.


Reproducible: Always

Steps to Reproduce:
1. Open website with key listener and action for keyCode == 13 - like my PoC: http://e-mirek.pl/hijack_enter
2. Hit Enter somewhere in addressbar, searchbar, sidebar or menubar.

Actual Results:  
Instead of opening typed/suggested url in addressbar, searching for phrase in searchbar, opening selected bookmark or even just doing something chosen in menu the events listener code is executed.

Expected Results:  
Should just respectively open typed/suggested url, searching for phrase, open selected bookmark or run menu command.

I'm not aware of any exploits using this bug. Opera, Chrome, IE don't seem to be affected. Only Seamonkey is partially vulnerable (Enter for some menu items).
Created attachment 478716 [details]
simple key capture

Confirming. It's only the return key, and the reason seems to be that when you hit return in the urlbar or search box we switch focus to the document right then, before the navigation, so the keyup happens in the old document.

No other keys are "read" out of the location bar, and the keydown for the return key isn't either. Similar spoofing potential to navigating from onbeforeunload.
I don't think the risk to users is bad enough to warrant hiding this away from people who could fix it.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:low spoof]
(Reporter)

Comment 3

8 years ago
Just to update - it seems that problem is almost resolved in Firefox 3.6.17 (or even earlier) and in Firefox 4 since beginning or at least early beta versions.
Enter key pressed in location bar, search bar and sidebar is no longer "hijacked". Only pressing Enter key somewhere in menu (not with all items, however with most of them) triggers action assigned to website's event listener.
This is very similar, if not a dupe of, bug 392555 although Comment 3 mentions the case of menu items which was not mentioned there.
It sounds like the original reported issue (URL bar) is WORKSFORME. I don't think we're going to address this specifically for menus, assuming it still applies there. It's not likely to occur commonly in practice, and it's not severe when it does, so I'm going to call this WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
Summary: Key event for "Enter / Return" captured by website's eventListeners also when focus is on urlbar, searchbar, menubar, sidebar etc. Can be used to redirect user to evil-site → key event for "Enter / Return" can be captured by content event listeners when focus is in the menubar
Whiteboard: [sg:low spoof]
You need to log in before you can comment on or make changes to this bug.