You can pass information between named windows in Private Browsing and the main process using targeted links

VERIFIED FIXED in Firefox 43



Private Browsing
3 years ago
a year ago


(Reporter: Daniel Roesler, Assigned: Aidin Gharibnavaz, Mentored)


({csectype-disclosure, sec-low})

33 Branch
Firefox 43
csectype-disclosure, sec-low

Firefox Tracking Flags

(firefox42 wontfix, firefox43 verified, firefox-esr38 wontfix)


(Whiteboard: [lang=c++][adv-main43-])


(2 attachments, 1 obsolete attachment)



3 years ago
Created attachment 8523555 [details]
Proof of concept. Follow directions in the file.

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141013200257

Steps to reproduce:

1. Create a webpage with a link targeting a named window (e.g. <a href="/" target="foo">Click Here!</a>).

2. Open that webpage in both normal and private browsing modes.

3. Click on the link in one of the two modes. It should open a new tab with the target name.

4. Click on the link in the other of the two modes.

Actual results:

When clicking on the link in the other of the two modes, the named window in the first mode loads the desired page. The loaded page has access to all of that mode's resources (localStorage/cookies/etc.).

Expected results:

Window names should not be shared between normal and private browsing modes. This allows you to pass information between those two modes.

Comment 1

3 years ago
This trick works in Firefox on both Linux and OSX. It does not work in Chromium.

Comment 2

3 years ago
Ehsan/Josh, are you aware of this issue?
Component: Untriaged → Private Browsing
Flags: needinfo?(josh)
Flags: needinfo?(ehsan.akhgari)

Comment 3

3 years ago
No, but I'm not surprised. This doesn't need to be security-sensitive, however.
Flags: needinfo?(josh)
Flags: needinfo?(ehsan.akhgari)

Comment 4

3 years ago
Presumably nsDocShell::DoFindItemWithName would be the important place that needs to change in order to avoid this.

Comment 5

3 years ago
The most obvious use case for this bug that I see is for websites to try and find out who throwaway accounts are (common on Reddit, HN, etc.). This could be harmful for people who think they can just pop open a private browsing window and create a throwaway account.
Ever confirmed: true
Keywords: csectype-disclosure, sec-low
Group: core-security

Comment 6

3 years ago
I'm willing to help anybody who would like to investigate this. Stepping through DoFindItemWithName should make it clear what's going wrong, and where we should be comparing mInPrivateBrowsing against another docshell's GetUsePrivateBrowsing value.
Whiteboard: [lang=c++]
Hi I'd like to try and help with this bug. Where do I begin looking for the fix?
(In reply to Anirudh GP(:anirudhgp) from comment #7)
> Hi I'd like to try and help with this bug. Where do I begin looking for the
> fix?

Sounds to me like you need to ask jdm.
Flags: needinfo?(josh)

Comment 9

2 years ago
FYI, I put together a demo of the exploit on github.

Comment 10

2 years ago
Created attachment 8648329 [details] [diff] [review]

The attachment fixed the demo "Daniel Roesler" created.

Here's the output of the Try Server:

It runs all of the Mochitests, and everything seems OK. The failed ones seems un-related to my changes.
Attachment #8648329 - Flags: review?(josh)
Thanks Aidin! I'm going on vacation for a week, so you should probably ask someone else like :smaug for review.
Flags: needinfo?(josh)

Comment 12

2 years ago
Seems that :smaug, and other reviewers are also on vacation or busy! I will wait a week. There's no problem.


2 years ago
Attachment #8648329 - Flags: review?(josh) → review?(bzbarsky)
Comment on attachment 8648329 [details] [diff] [review]

The patch looks great.  The commit message could use some improvement.  How about:

  Bug 1100154 - Ensure that targeted links in a private browsing window can't target non-private-browsing windows and vice versa.


Attachment #8648329 - Flags: review?(bzbarsky) → review+

Comment 14

2 years ago
Created attachment 8657451 [details] [diff] [review]

Thanks for the review (:

I update the commit message. Nothing else changed.
Attachment #8648329 - Attachment is obsolete: true


2 years ago
Keywords: checkin-needed

Comment 15

2 years ago
Keywords: checkin-needed
Assignee: nobody → aidin
Last Resolved: 2 years ago
status-firefox43: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 43
Duplicate of this bug: 1215904
Flags: qe-verify+
I have reproduced this bug on Nightly 36.0a1 (2014-11-16) on ubuntu 14.04 LTS, 32 bit!

The bug's fix is now verified on Latest Beta 43.0b1!

Build ID: 20151103023037
User Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0

Thanks Khalid!
Confirming this fix under Mac OS X 10.11.1 and Windows 7 64-bit too, with 43.0b1 build 2 (Build ID: 20151103023037). Thanks for verifying, Khalid!
status-firefox43: fixed → verified
Flags: qe-verify+
status-firefox42: --- → wontfix
status-firefox-esr38: --- → wontfix
Whiteboard: [lang=c++] → [lang=c++][adv-main43+]
Alias: CVE-2015-7206
Alias: CVE-2015-7206
Whiteboard: [lang=c++][adv-main43+] → [lang=c++][adv-main43-]
hi, do you think this change can be related to the crash in bug 1247872 which would be regressing since firefox 43?

Comment 22

2 years ago
(In reply to philipp from comment #21)
> hi, do you think this change can be related to the crash in bug 1247872
> which would be regressing since firefox 43?

I *think* so. bz, is this just the load context being null?
Flags: needinfo?(bzbarsky)
Sure looks like it.  I'll follow up in bug 1247872.
Flags: needinfo?(bzbarsky)


a year ago
Duplicate of this bug: 1155962
You need to log in before you can comment on or make changes to this bug.