Closed Bug 888842 Opened 11 years ago Closed 11 years ago

Execute a XPI cover by Form History (spoofing/clickjacking)

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
22 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 884488

People

(Reporter: jordi.chancel, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [reporter-external])

Attachments

(2 files)

firefoxformhistoryspoofXPI.zip
48.45 KB, application/octet-stream
Details
ScreenShot 1
52.81 KB, image/png
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130618035212

Steps to reproduce:

-Go to 1B.htm (in the ZIP) (1B.htm until 7B.htm will create 7 form history)
-After going to 1B.htm(after 2B.htm 3B.htm 4B.htm 5B.htm 6B.htm 7B.htm) you are in firefoxspoof4.htm.
-Click to the extremity right of the input text.
(if you don't enderstand look this youtube video => http://www.youtube.com/watch?v=gcI7W29dhyo )



Actual results:

-XPI Addon is cover by all form history of the input text
Flags: sec-bounty?
Attached image ScreenShot 1 

    
    

    
  
I can confirm that the search history dropdown appears above the XPI install dialog. On my system, it's not aligned as well as in your example, but the problem is clear. Thanks for filing it.

This is less troubling than the other similar issues, because this only allows arbitrary text (with a white background) above the UI, rather than a bitmap. It's not as believable as the bitmap UI spoof.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [reporter-external]

    
    

    
  
The changes I'm proposing to fix bug 884488 will end up fixing this one (if they're adopted) so I'm going to make this "depend on" that one. Could end up being a duplicate, effectively.  If we attack the other bug strictly in the <select> code then this could be a separate bug so I'm not yet ready to call this a strict duplicate.
Depends on: 884488
Keywords: csec-spoof

    
  
Whiteboard: [reporter-external] → [sg:critical][reporter-external]
Whiteboard: [sg:critical][reporter-external] → [reporter-external]

    
    

    
  
Bug Bounty Triage: We're making bug 884488 the master bug for XPI clickjacking issues that you're reporting. They are all variants of the same basic problem.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-

    
  
Keywords: sec-moderate

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: