Closed
Bug 1240564
Opened 8 years ago
Closed 8 years ago
Local Shared Objects (LSO's) are left intact on Permanent private browsing (Never remember history) mode
Categories
(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)
External Software Affecting Firefox Graveyard
Flash (Adobe)
x86_64
Windows
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: ofir29, Unassigned)
References
()
Details
(Keywords: privacy)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20160105164030 Steps to reproduce: 1. Open Frefox, visit any flash based content website such as dailymotion.com, a temp flash directory will be created #SharedObjects. 2. Now, close the browser, the flash temp created directory in (#SharedObjects) often don't get removed, and left persistent. 3. Open the browser again, you will see that directory isn't get invalidated and left intact. This can allow manipulation of the temp directories in #SharedObjects which can be exploited remotely. Needless to say, my Firefox browser is working on Never remember history mode, and all temp files are removed once it is closed. I have also posted it in adobe (since it's flash session bug and adobe are aware and haven't fixed it for months). https://bugbase.adobe.com/index.cfm?event=bug&id=4060758 Actual results: Flash Temporary Files don't get removed (left intact), due to a flash bug. Expected results: Flash Temporary Files should be removed.
Reporter | ||
Updated•8 years ago
|
Severity: normal → critical
Component: Untriaged → Security
OS: Unspecified → Windows
Priority: -- → P2
Hardware: Unspecified → x86_64
Comment 1•8 years ago
|
||
Manually running "Clear recent history" and including cookies and cache seems to work fine. Unhiding because this isn't a public security issue (it's a privacy issue until/unless you demonstrate that "This can allow manipulation of the temp directories in #SharedObjects which can be exploited remotely.", which you have not) and the adobe bug is already public anyway. Josh, any idea what's going on here?
Group: firefox-core-security
Severity: critical → normal
Component: Security → Private Browsing
Flags: needinfo?(josh)
Priority: P2 → --
Summary: Adobe Flash temporary files left intact upon closing the browser → Permanent private browsing and "clear history when Firefox closes" leave Adobe Flash temporary files intact
Reporter | ||
Comment 2•8 years ago
|
||
FYI, adding a bit more: the issue only happens if the NPAPI flash player plugin is installed, therefore it's flash plugin related issue like I already mentioned and it's due to a flash session management bug known to adobe. Adding to Gijs comment, I can confirm that as well as the Manual deletion via the flash player settings panel applet on control panel also clean the #SharedObjects and works. So no issues with manual mode. *Superfluous thing to note: since it's too obvious, but I will mention anyway, even when I configure the flash player settings applet panel to block all sites from storing information, it still stores and don't automatically delete the folders once firefox close either. As mentioned before but in short, 2 Important Points in this bug that affects privacy and security. 1. The Primary point is: Private Mode isn't private when flash temp directories/files are being kept persistent. 2. The Secondary point is: Non-validated flash temp files/directories can be manipulated.
Reporter | ||
Comment 3•8 years ago
|
||
I have uninstalled flash NPAPI plugin as a permanent workaround and marking it as unsafe to use and let others aware, until the issue will be address either by you or adobe.
Reporter | ||
Comment 4•8 years ago
|
||
Hi PPL, Video POC is available here: https://www.youtube.com/watch?v=mz9A8feBpGM
Comment 5•8 years ago
|
||
I don't really know anything about the shutdown sanitization code. Presumably the first place to start investigating is the behaviour of promiseClearPluginCookies in browser/base/content/sanitize.js.
Flags: needinfo?(josh)
Updated•8 years ago
|
Flags: needinfo?(gijskruitbosch+bugs)
Reporter | ||
Updated•8 years ago
|
Summary: Permanent private browsing and "clear history when Firefox closes" leave Adobe Flash temporary files intact → Local Shared Objects (LSO's) are left intact on Permanent private browsing (Never remember history) mode
Comment 7•8 years ago
|
||
Adobe proposed an extension to NPAPI to inform plugins when the browser is in private browsing mode, which we implemented and they use. If they're getting the "private" mode signal and not cleaning up that's a bug which they'll have to fix. In the meanwhile you can avoid Flash as you're doing (we're doing our best to provide web alternatives to the most common reasons for using Flash) or install a privacy addon that deletes LSOs like https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
Component: Private Browsing → Flash (Adobe)
Keywords: privacy
Product: Firefox → External Software Affecting Firefox
Version: 46 Branch → unspecified
Updated•8 years ago
|
Flags: needinfo?(gijskruitbosch+bugs)
Comment 8•8 years ago
|
||
Not going to track this in the Mozilla bug tracker. Please follow up with Adobe if appropriate.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•