CVE CyberSecurity Database News

CVE-2022-26382 - How Firefox’s Autofill Tooltips Could Reveal Your Data via Font Attacks

Poster -

Modern browsers are packed with features to help users, but sometimes these tools can accidentally expose our sensitive information. That's what happened with a serious issue in Mozilla Firefox, tracked as CVE-2022-26382. If you used Firefox before version 98, this is an important read. Let’s break down what happened, how the exploit worked, and how you can stay safe.

What Was the Problem?

When you use autofill in your browser, it sometimes pops up a tooltip suggesting addresses, emails, credit cards, and other info. While this tooltip was not directly readable via JavaScript (so web pages couldn’t just ask “what’s in the tooltip?”), there was a sneaky way to figure it out: side-channel attacks using fonts.

That means the way Firefox drew the autofill suggestions (using the fonts on the page) could let an attacker infer the content! In essence, the browser let web pages choose the font for the tooltip, and sophisticated attackers could make a font that behaved differently for different letters or numbers.

Why Is This Bad?

Your autofill data is often private: emails, addresses, maybe even passwords saved by mistake. Attackers could write a web page that, even without access to the autofill content, *could guess what’s in the tooltip* by using a malicious font. If you visit a bad website, it might craft a font specifically to “spy” on anything Firefox autofilled in the tooltip.

Here’s a simple breakdown

- The website defines a custom font using CSS and maybe the @font-face CSS rule.

The autofill tooltip, unknowingly, uses this font.

- The bad font is built to make rendering each character take a different amount of time, or makes the browser draw the text differently for certain characters.
- Through clever measurements (sometimes called a side-channel attack), the website’s JavaScript can detect these differences — and thus figure out the characters one by one, leaking your autofill data!

Let’s look at what such an attack could involve.

Example: Measuring Font Rendering Time

A malicious font could make character "A" take much longer to render than "B", etc. An attacker might do something like:

async function guessAutofillLetter() {
  // Pretend input triggers the autofill tooltip
  document.querySelector("#myinput").focus();
  
  // Wait for tooltip (timings are tricky in real life)
  await new Promise(r => setTimeout(r, 200));

  // Here the attacker uses performance.now, canvas, or forced reflows to try measuring
  let before = performance.now();

  // Force the browser to render (simplified; real exploit would be cleverer)
  document.body.offsetHeight;

  let after = performance.now();
  let duration = after - before;

  // Now, based on the custom font's design, timing tells what may be in tooltip
  // "duration" might mean the first letter is "A", etc.
  return duration;
}

The real attacks can be more subtle, including canvas fingerprinting, pixel-based delays, or more.

Stealing Info via CSS

An @font-face rule could load a custom font that acts as a trojan horse:

@font-face {
  font-family: 'SecretStealer';
  src: url('https://attacker.com/stealerfont.woff2';);
}

input, .autofill-tooltip {
  font-family: 'SecretStealer', monospace;
}

If Firefox autofill tooltips inherited .autofill-tooltip styling (or similar), the font tricks could start leaking data.

References and More Reading

- Mozilla security advisory 2022-15 (CVE-2022-26382)
- HackerOne bug report (Private/Redacted)
- Side-channel attack: Wikipedia
- Firefox Release Notes for 98

Making sure autofill tooltips no longer use page-provided fonts.

- Forcing a standard, secret system font for these tooltips, so no matter how sneaky a webpage gets, it can’t see the differences or delay rendering.

Always update your browser! The only real fix is upgrading to Firefox 98 or later.

- If you run a website, avoid letting user data appear outside controlled content — don’t leak things into tooltips or overlays styled by attacker-controlled CSS.

Conclusion

Sometimes, features added for convenience can open doors to subtle attacks. CVE-2022-26382 is a classic reminder: Browsers are complex and always evolving — keep them updated! While the exploit might sound advanced, the risk is real, and patches like this keep millions safer online.

If you’re reading this and haven’t updated Firefox in a while, now’s a great time!

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 15:01:00 UTC