You can pass information between named windows in Private Browsing and the main process using targeted links

VERIFIED FIXED in Firefox 43

Status

()

defect
VERIFIED FIXED
5 years ago
3 years ago

People

(Reporter: diafygi, Assigned: aidin, Mentored)

Tracking

({csectype-disclosure, sec-low})

33 Branch
Firefox 43
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox42 wontfix, firefox43 verified, firefox-esr38 wontfix)

Details

(Whiteboard: [lang=c++][adv-main43-])

Attachments

(2 attachments, 1 obsolete attachment)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141013200257

Steps to reproduce:

1. Create a webpage with a link targeting a named window (e.g. <a href="/" target="foo">Click Here!</a>).

2. Open that webpage in both normal and private browsing modes.

3. Click on the link in one of the two modes. It should open a new tab with the target name.

4. Click on the link in the other of the two modes.



Actual results:

When clicking on the link in the other of the two modes, the named window in the first mode loads the desired page. The loaded page has access to all of that mode's resources (localStorage/cookies/etc.).


Expected results:

Window names should not be shared between normal and private browsing modes. This allows you to pass information between those two modes.
This trick works in Firefox on both Linux and OSX. It does not work in Chromium.
Ehsan/Josh, are you aware of this issue?
Component: Untriaged → Private Browsing
Flags: needinfo?(josh)
Flags: needinfo?(ehsan.akhgari)
No, but I'm not surprised. This doesn't need to be security-sensitive, however.
Flags: needinfo?(josh)
Flags: needinfo?(ehsan.akhgari)
Presumably nsDocShell::DoFindItemWithName would be the important place that needs to change in order to avoid this.
The most obvious use case for this bug that I see is for websites to try and find out who throwaway accounts are (common on Reddit, HN, etc.). This could be harmful for people who think they can just pop open a private browsing window and create a throwaway account.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: core-security
I'm willing to help anybody who would like to investigate this. Stepping through DoFindItemWithName should make it clear what's going wrong, and where we should be comparing mInPrivateBrowsing against another docshell's GetUsePrivateBrowsing value.
Mentor: josh
Whiteboard: [lang=c++]
Hi I'd like to try and help with this bug. Where do I begin looking for the fix?
(In reply to Anirudh GP(:anirudhgp) from comment #7)
> Hi I'd like to try and help with this bug. Where do I begin looking for the
> fix?

Sounds to me like you need to ask jdm.
Flags: needinfo?(josh)
FYI, I put together a demo of the exploit on github.

https://diafygi.github.io/detect-throwaways/index.html
Posted patch 1100154.patch (obsolete) — Splinter Review
The attachment fixed the demo "Daniel Roesler" created.

Here's the output of the Try Server:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=74e850bb0c3e

It runs all of the Mochitests, and everything seems OK. The failed ones seems un-related to my changes.
Attachment #8648329 - Flags: review?(josh)
Thanks Aidin! I'm going on vacation for a week, so you should probably ask someone else like :smaug for review.
Flags: needinfo?(josh)
Seems that :smaug, and other reviewers are also on vacation or busy! I will wait a week. There's no problem.
Attachment #8648329 - Flags: review?(josh) → review?(bzbarsky)
Comment on attachment 8648329 [details] [diff] [review]
1100154.patch

The patch looks great.  The commit message could use some improvement.  How about:

  Bug 1100154 - Ensure that targeted links in a private browsing window can't target non-private-browsing windows and vice versa.

?

r=me.
Attachment #8648329 - Flags: review?(bzbarsky) → review+
Posted patch 1100154.patchSplinter Review
Thanks for the review (:

I update the commit message. Nothing else changed.
Attachment #8648329 - Attachment is obsolete: true
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/0ddcebe7cc4f
Assignee: nobody → aidin
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 43
Duplicate of this bug: 1215904
Flags: qe-verify+
I have reproduced this bug on Nightly 36.0a1 (2014-11-16) on ubuntu 14.04 LTS, 32 bit!

The bug's fix is now verified on Latest Beta 43.0b1!

Build ID: 20151103023037
User Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0

[bugday-20151104]
Thanks Khalid!
Status: RESOLVED → VERIFIED
Confirming this fix under Mac OS X 10.11.1 and Windows 7 64-bit too, with 43.0b1 build 2 (Build ID: 20151103023037). Thanks for verifying, Khalid!
Flags: qe-verify+
Whiteboard: [lang=c++] → [lang=c++][adv-main43+]
Alias: CVE-2015-7206
Alias: CVE-2015-7206
Whiteboard: [lang=c++][adv-main43+] → [lang=c++][adv-main43-]
hi, do you think this change can be related to the crash in bug 1247872 which would be regressing since firefox 43?
(In reply to philipp from comment #21)
> hi, do you think this change can be related to the crash in bug 1247872
> which would be regressing since firefox 43?

I *think* so. bz, is this just the load context being null?
Flags: needinfo?(bzbarsky)
Sure looks like it.  I'll follow up in bug 1247872.
Flags: needinfo?(bzbarsky)
Duplicate of this bug: 1155962
You need to log in before you can comment on or make changes to this bug.