Firefox fixes fullscreen notification bypass bug that could have led to convincing phishing campaigns

2 years ago 132
BOOK THIS SPACE FOR AD
ARTICLE AD

Jessica Haworth 12 January 2022 at 14:11 UTC
Updated: 12 January 2022 at 14:16 UTC

Flurry of issues patched in web browser’s latest advisory

Firefox fixes full screen notification bypass bug that could have led to convincing phishing campaigns

Mozilla has patched a security issue in Firefox that could have allowed an attacker to spoof legitimate websites via a stealthily executed ‘full screen’ mode.

The vulnerability (CVE-2022-22746), which was present in Windows versions of Firefox, is a race condition bug that could result in the browser’s fullscreen notification warning being bypassed.

This could enable an attacker to trick a user into clicking links or entering sensitive details on a fake website, among other malicious activities.

DON’T MISS VMware Horizon under attack as China-based ransomware group targets Log4j vulnerability


In controlling a fullscreen browser window without a user’s knowledge, the attacker can spoof the URL address bar of a genuine site – something which is usually controlled by the browser, along with other ‘above the line’ trust indicators.

The attacker could go further to not only serve what appears to be the proper domain, but also the SSL padlock icon used to reassure web users that the site is HTTPS protected.

A blog post by researcher Feross Aboukhadijeh demonstrates how full screen attacks work with a similar, albeit much older proof-of-concept exploit.

Read more of the latest security vulnerability news

The vulnerability, marked as high severity, was discovered by researcher Irvan Kurniawan and fixed in Firefox 96 for Windows, as part of the browser’s first security release of 2022.

A security advisory from Mozilla yesterday (January 11) lists a number of other security bugs that have now been patched in Firefox.

In addition to two further variations of Kurniawan’s attack, the release includes a fix for CVE-2021-4140, an iframe sandbox bypass with XSLT, among other bugs.

RECOMMENDED Moodle e-learning platform patches session hijack bug that led to pre-auth RCE

Read Entire Article