(CVE-2024-36472) Portal helper should require user input before loading remote content
As pointed out in #7666 (closed), the portal helper currently loads untrusted web content without user input. An active network attacker can force the portal helper to launch. This is intentional, but risky:
- The attacker can do anything that websites are allowed to do using HTML/JavaScript. E.g. #7666 (closed) demonstrates a reverse JS shell. Now you can mine bitcoin on the user's computer until the portal helper is closed, or participate in a DDoS attack as a botnet node, etc. This possibility seems obvious to me -- it's a necessary consequence of intentionally loading web content from a connection that's known to be intercepted -- but in #7666 (closed) it was considered so surprising that a CVE was requested.
- It allows zero click exploitation of WebKit zero day vulnerabilities. You would need to exploit at least two separate vulnerabilities to be able to harm the host system (first a memory safety vulnerability to achieve web process code execution, and then a web process sandbox escape), so it should be hard, but it's scary that an attacker can do this without having to trick the user into clicking on anything first.
- What I had not considered before yesterday is this can be done without the user even noticing if the computer is left unattended or locked. At least, I assume it can happen when locked, because #7666 (closed) alludes to this, but it hasn't yet been demonstrated. I speculate that it might also happen on another seat in a multiseat scenario, or when a fullscreen video is playing.
Solution should be to just ask the user to confirm before loading web content. That could be done by gnome-shell prompting the user before opening the portal helper, or it could be done by the portal helper prompting the user. I don't normally like "Do you want to allow...?" style security prompts because users inevitably will click yes, but that's actually fine in this case as we want users to almost always click yes, and only click no when they've noticed the portal helper is actually being abused by an attacker.