Closed Bug 1149028 Opened 6 years ago Closed 6 years ago

SHA-1 certificate violation log on Fennec leaks sensitive info in URL

Categories

(Firefox for Android Graveyard :: General, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1149094

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

Details

(Keywords: sec-moderate)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

Steps to reproduce:

1. Install Fennec to an Android device which version is less than 4.0.
2. Launch https://www.google.com/#SECRET_IS_HERE
3. Login to Google
4. Search something with Google


Actual results:

Accessed all URLs contains query string and fragment are put to Logcat like below.

W/GeckoConsole( 2738): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://www.google.com/#SECRET_IS_HERE" line: 0}]

W/GeckoConsole( 2738): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://www.google.co.jp/?gfe_rd=cr&ei=GesYVZa#SECRET_IS_HERE" line: 0}]

W/GeckoConsole( 2738): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://www.google.co.jp/search?q=SEARCHWORD&oq=SEARCHWORD" line: 0}]

On Android 4.0 or less, any application having android.permission.READ_LOGS permission can retrieve other application's log data. And also, it may be sent to the third party as crash logs. So, sensitive information may be leaked.


Expected results:

SHA-1 certificate violation log should remove detailed information from accessed URL.
Flags: sec-bounty?
Component: Untriaged → General
Flags: needinfo?(snorp)
Product: Firefox → Firefox for Android
Version: 39 Branch → unspecified
This is the same as bug 1149094. Browser console on logcat.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(snorp)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-2714
Flags: sec-bounty? → sec-bounty-
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-moderate
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.