Closed Bug 1100154 Opened 10 years ago Closed 9 years ago

You can pass information between named windows in Private Browsing and the main process using targeted links


(Firefox :: Private Browsing, defect)

33 Branch
Not set



Firefox 43
Tracking Status
firefox42 --- wontfix
firefox43 --- verified
firefox-esr38 --- wontfix


(Reporter: diafygi, Assigned: aidin, Mentored)



(Keywords: csectype-disclosure, sec-low, Whiteboard: [lang=c++][adv-main43-])


(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141013200257

Steps to reproduce:

1. Create a webpage with a link targeting a named window (e.g. <a href="/" target="foo">Click Here!</a>).

2. Open that webpage in both normal and private browsing modes.

3. Click on the link in one of the two modes. It should open a new tab with the target name.

4. Click on the link in the other of the two modes.

Actual results:

When clicking on the link in the other of the two modes, the named window in the first mode loads the desired page. The loaded page has access to all of that mode's resources (localStorage/cookies/etc.).

Expected results:

Window names should not be shared between normal and private browsing modes. This allows you to pass information between those two modes.
This trick works in Firefox on both Linux and OSX. It does not work in Chromium.
Ehsan/Josh, are you aware of this issue?
Component: Untriaged → Private Browsing
Flags: needinfo?(josh)
Flags: needinfo?(ehsan.akhgari)
No, but I'm not surprised. This doesn't need to be security-sensitive, however.
Flags: needinfo?(josh)
Flags: needinfo?(ehsan.akhgari)
Presumably nsDocShell::DoFindItemWithName would be the important place that needs to change in order to avoid this.
The most obvious use case for this bug that I see is for websites to try and find out who throwaway accounts are (common on Reddit, HN, etc.). This could be harmful for people who think they can just pop open a private browsing window and create a throwaway account.
Ever confirmed: true
Group: core-security
I'm willing to help anybody who would like to investigate this. Stepping through DoFindItemWithName should make it clear what's going wrong, and where we should be comparing mInPrivateBrowsing against another docshell's GetUsePrivateBrowsing value.
Mentor: josh
Whiteboard: [lang=c++]
Hi I'd like to try and help with this bug. Where do I begin looking for the fix?
(In reply to Anirudh GP(:anirudhgp) from comment #7)
> Hi I'd like to try and help with this bug. Where do I begin looking for the
> fix?

Sounds to me like you need to ask jdm.
Flags: needinfo?(josh)
FYI, I put together a demo of the exploit on github.
Attached patch 1100154.patch (obsolete) — Splinter Review
The attachment fixed the demo "Daniel Roesler" created.

Here's the output of the Try Server:

It runs all of the Mochitests, and everything seems OK. The failed ones seems un-related to my changes.
Attachment #8648329 - Flags: review?(josh)
Thanks Aidin! I'm going on vacation for a week, so you should probably ask someone else like :smaug for review.
Flags: needinfo?(josh)
Seems that :smaug, and other reviewers are also on vacation or busy! I will wait a week. There's no problem.
Attachment #8648329 - Flags: review?(josh) → review?(bzbarsky)
Comment on attachment 8648329 [details] [diff] [review]

The patch looks great.  The commit message could use some improvement.  How about:

  Bug 1100154 - Ensure that targeted links in a private browsing window can't target non-private-browsing windows and vice versa.


Attachment #8648329 - Flags: review?(bzbarsky) → review+
Attached patch 1100154.patchSplinter Review
Thanks for the review (:

I update the commit message. Nothing else changed.
Attachment #8648329 - Attachment is obsolete: true
Keywords: checkin-needed
Assignee: nobody → aidin
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 43
Flags: qe-verify+
I have reproduced this bug on Nightly 36.0a1 (2014-11-16) on ubuntu 14.04 LTS, 32 bit!

The bug's fix is now verified on Latest Beta 43.0b1!

Build ID: 20151103023037
User Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0

Thanks Khalid!
Confirming this fix under Mac OS X 10.11.1 and Windows 7 64-bit too, with 43.0b1 build 2 (Build ID: 20151103023037). Thanks for verifying, Khalid!
Flags: qe-verify+
Whiteboard: [lang=c++] → [lang=c++][adv-main43+]
Alias: CVE-2015-7206
Alias: CVE-2015-7206
Whiteboard: [lang=c++][adv-main43+] → [lang=c++][adv-main43-]
hi, do you think this change can be related to the crash in bug 1247872 which would be regressing since firefox 43?
(In reply to philipp from comment #21)
> hi, do you think this change can be related to the crash in bug 1247872
> which would be regressing since firefox 43?

I *think* so. bz, is this just the load context being null?
Flags: needinfo?(bzbarsky)
Sure looks like it.  I'll follow up in bug 1247872.
Flags: needinfo?(bzbarsky)
You need to log in before you can comment on or make changes to this bug.