Clickjacking, the art of tricking users into clicking on links or buttons that no sane person would ever click on. But how much damage can you do by stealing a few clicks? We are in 2015, we might think that this kind of vulnerabilities would have been solved by now. But that’s not the case.
Recently Mozilla launched Firefox Hello, their free service for video and voice conversations online. After a few tests, I noticed that hello.firefox.com website does not prevent framing.
I also noticed that to invite a friend to a conversation, one must send him a link like https://hello.firefox.com/conversationToken . The friend will have to:
1. access the link;
2. click on the “Join the conversation” button;
3. allow hello.firefox.com to use the camera and microphone.
Chances are that a person who uses hello.firefox.com a lot will allow the website to use his microphone and camera anytime, so he won’t have to go through step 3 every time. The problem is that https://hello.firefox.com/conversationToken can be loaded into an iframe and the second step can be bypassed by clickjacking. In these conditions, an attacker could gain access to a victim’s camera and microphone by using only the trust that the victim has in hello.firefox.com (the trust to give this website access to its camera and microphone anytime).
Step-by-step attack scenario
1. Brandon is the attacker, an evil person. Andreea is the target, a person that uses hello.firefox.com to chat with her friends and is naive enough to trust the website by allowing it to access the camera and microphone anytime;
2. Brandon creates a conversation on hello.firefox.com and obtains a link to invite his “friends” to chat: https://hello.firefox.com/HxfymOMuLX4 ;
3. Brandon integrates the link into a clickjacking attack. He is not a very skilled programmer, but he manages to obtain a working example that he uploads to his website ;
4. Using facebook or whatever, Brandon sends the above link to George because “he wants to show him a cute kitten”;
5. Andreea visits the target website because she loves kittens. While wishing very much that she’d be able to pet that wonder, she makes one simple click anywhere on the page (left-click, nothing special);
6. Because the “Join the conversation” button from https://hello.firefox.com/HxfymOMuLX4 was positioned under the mouse and Andreea allowed hello.firefox.com to use her camera and microphone anytime, now Brandon has access to his target’s microphone and camera. Good job Brandon!
7. Andreea might notice that her camera and microphone are used, but it is still too late: probably a picture with her leaked to who-knows-who. And she was wearing her favorite pokemon t-shirt. Oh God. If she hasn’t noticed that she is recorded… I don’t want to think about this!
I’ve reported this vulnerability to Mozilla and they acted great about it. In about 24 hours they acknowledged the problem, came out with a fix, tested it and pushed it into production. From my experience with bug reports, I can say that solving a newly reported bug in this time frame is the absolute record. Way to go guys!
Oh, and they were kind enough to acknowledge the bug with a rather huge bounty. Thank you!