Closed Bug 1100154 Opened 6 years ago Closed 5 years ago
You can pass information between named windows in Private Browsing and the main process using targeted links
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141013200257 Steps to reproduce: 1. Create a webpage with a link targeting a named window (e.g. <a href="/" target="foo">Click Here!</a>). 2. Open that webpage in both normal and private browsing modes. 3. Click on the link in one of the two modes. It should open a new tab with the target name. 4. Click on the link in the other of the two modes. Actual results: When clicking on the link in the other of the two modes, the named window in the first mode loads the desired page. The loaded page has access to all of that mode's resources (localStorage/cookies/etc.). Expected results: Window names should not be shared between normal and private browsing modes. This allows you to pass information between those two modes.
This trick works in Firefox on both Linux and OSX. It does not work in Chromium.
Ehsan/Josh, are you aware of this issue?
Component: Untriaged → Private Browsing
No, but I'm not surprised. This doesn't need to be security-sensitive, however.
Presumably nsDocShell::DoFindItemWithName would be the important place that needs to change in order to avoid this.
The most obvious use case for this bug that I see is for websites to try and find out who throwaway accounts are (common on Reddit, HN, etc.). This could be harmful for people who think they can just pop open a private browsing window and create a throwaway account.
I'm willing to help anybody who would like to investigate this. Stepping through DoFindItemWithName should make it clear what's going wrong, and where we should be comparing mInPrivateBrowsing against another docshell's GetUsePrivateBrowsing value.
Hi I'd like to try and help with this bug. Where do I begin looking for the fix?
(In reply to Anirudh GP(:anirudhgp) from comment #7) > Hi I'd like to try and help with this bug. Where do I begin looking for the > fix? Sounds to me like you need to ask jdm.
FYI, I put together a demo of the exploit on github. https://diafygi.github.io/detect-throwaways/index.html
The attachment fixed the demo "Daniel Roesler" created. Here's the output of the Try Server: https://treeherder.mozilla.org/#/jobs?repo=try&revision=74e850bb0c3e It runs all of the Mochitests, and everything seems OK. The failed ones seems un-related to my changes.
Attachment #8648329 - Flags: review?(josh)
Thanks Aidin! I'm going on vacation for a week, so you should probably ask someone else like :smaug for review.
Seems that :smaug, and other reviewers are also on vacation or busy! I will wait a week. There's no problem.
Attachment #8648329 - Flags: review?(josh) → review?(bzbarsky)
Comment on attachment 8648329 [details] [diff] [review] 1100154.patch The patch looks great. The commit message could use some improvement. How about: Bug 1100154 - Ensure that targeted links in a private browsing window can't target non-private-browsing windows and vice versa. ? r=me.
Attachment #8648329 - Flags: review?(bzbarsky) → review+
Thanks for the review (: I update the commit message. Nothing else changed.
Attachment #8648329 - Attachment is obsolete: true
I have reproduced this bug on Nightly 36.0a1 (2014-11-16) on ubuntu 14.04 LTS, 32 bit! The bug's fix is now verified on Latest Beta 43.0b1! Build ID: 20151103023037 User Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 [bugday-20151104]
Status: RESOLVED → VERIFIED
Confirming this fix under Mac OS X 10.11.1 and Windows 7 64-bit too, with 43.0b1 build 2 (Build ID: 20151103023037). Thanks for verifying, Khalid!
Whiteboard: [lang=c++][adv-main43+] → [lang=c++][adv-main43-]
hi, do you think this change can be related to the crash in bug 1247872 which would be regressing since firefox 43?
(In reply to philipp from comment #21) > hi, do you think this change can be related to the crash in bug 1247872 > which would be regressing since firefox 43? I *think* so. bz, is this just the load context being null?
Sure looks like it. I'll follow up in bug 1247872.
You need to log in before you can comment on or make changes to this bug.