CVE-2018-5142 in Firefox
Summary
by MITRE
If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/05/2021
The vulnerability described in CVE-2018-5142 represents a significant user interface security flaw within the Media Capture and Streams API implementation in Firefox browsers prior to version 59. This issue specifically targets the permission notification system that governs access to media devices such as cameras and microphones. When web applications attempt to request media capture permissions from documents served with data: or blob: URLs, the browser's permission prompt fails to correctly identify and display the originating domain information. Instead of showing the actual domain name of the requesting source, the interface displays "Unknown protocol" which creates a misleading user experience and potentially dangerous security implications.
The technical root cause of this vulnerability lies in how Firefox handles URL parsing and domain identification for the Media Capture and Streams API permission system. The data: and blob: URL schemes are special protocols used to embed data directly within URLs or reference data stored in browser memory respectively. These protocols do not conform to standard domain naming conventions, making it difficult for the browser's permission notification system to extract and display meaningful domain information. This flaw falls under CWE-200, which addresses the improper handling of information exposure, and specifically relates to the disclosure of sensitive information through user interface elements. The vulnerability demonstrates a clear failure in input validation and output sanitization within the browser's permission handling mechanism.
The operational impact of this vulnerability extends beyond simple user confusion to potentially enable social engineering attacks and phishing attempts. Users who encounter permission prompts displaying "Unknown protocol" may be misled into granting permissions to malicious actors who exploit this confusion. Attackers could craft malicious web pages using data: or blob: URLs to request media access while appearing to come from trusted domains. This creates a dangerous situation where users cannot properly verify the legitimacy of permission requests, effectively bypassing one of the primary security controls designed to protect users from unauthorized access to their devices. The vulnerability directly impacts the principle of least privilege and user awareness that are fundamental to browser security models.
Security researchers have documented similar patterns in browser permission handling across multiple vendors, with this particular implementation flaw demonstrating a gap in how browsers process special URL protocols within their security UI frameworks. The vulnerability's impact is particularly concerning given that Firefox 59 was released in early 2018, leaving users of older versions exposed to potential exploitation. Organizations and security teams should prioritize updating affected browsers to version 59 or later, as this represents a critical security patch addressing user interface deception. The mitigation strategy involves not only browser updates but also user education about permission prompts and the importance of verifying requesting domains, aligning with ATT&CK technique T1059.001 for privilege escalation through browser manipulation and T1566 for social engineering attacks exploiting UI confusion. The vulnerability also highlights the importance of proper URL scheme handling in security contexts, as outlined in OWASP Top 10 categories related to insecure input handling and user interface security.