Firefox fixes fullscreen notification bypass bug that could have led to convincing phishing campaigns
12 January 2022 at 14:11 UTC
Updated: 12 January 2022 at 14:16 UTC
Flurry of issues patched in web browser’s latest advisory
Mozilla has patched a security issue in Firefox that could have allowed an attacker to spoof legitimate websites via a stealthily executed ‘full screen’ mode.
The vulnerability (CVE-2022-22746), which was present in Windows versions of Firefox, is a race condition bug that could result in the browser’s fullscreen notification warning being bypassed.
This could enable an attacker to trick a user into clicking links or entering sensitive details on a fake website, among other malicious activities.
In controlling a fullscreen browser window without a user’s knowledge, the attacker can spoof the URL address bar of a genuine site – something which is usually controlled by the browser, along with other ‘above the line’ trust indicators.
The attacker could go further to not only serve what appears to be the proper domain, but also the SSL padlock icon used to reassure web users that the site is HTTPS protected.
A blog post by researcher Feross Aboukhadijeh demonstrates how full screen attacks work with a similar, albeit much older proof-of-concept exploit.
The vulnerability, marked as high severity, was discovered by researcher Irvan Kurniawan and fixed in Firefox 96 for Windows, as part of the browser’s first security release of 2022.
A security advisory from Mozilla yesterday (January 11) lists a number of other security bugs that have now been patched in Firefox.
In addition to two further variations of Kurniawan’s attack, the release includes a fix for CVE-2021-4140, an iframe sandbox bypass with XSLT, among other bugs.