1240564 - Local Shared Objects (LSO's) are left intact on Permanent private browsing (Never remember history) mode

Status: RESOLVED INCOMPLETE

(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)

Description

[Ofir Moskovitch]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160105164030

Steps to reproduce:

1. Open Frefox, visit any flash based content website such as dailymotion.com, a temp flash directory will be created #SharedObjects.

2. Now, close the browser, the flash temp created directory in (#SharedObjects) often don't get removed, and left persistent.

3. Open the browser again, you will see that directory isn't get invalidated and left intact.

This can allow manipulation of the temp directories in #SharedObjects which can be exploited remotely.

Needless to say, my Firefox browser is working on Never remember history mode, and all temp files are removed once it is closed. 

I have also posted it in adobe (since it's flash session bug and adobe are aware and haven't fixed it for months).

https://bugbase.adobe.com/index.cfm?event=bug&id=4060758


Actual results:

Flash Temporary Files don't get removed (left intact), due to a flash bug.


Expected results:

Flash Temporary Files should be removed.

Comment 1

[:Gijs (he/him)]

Manually running "Clear recent history" and including cookies and cache seems to work fine. Unhiding because this isn't a public security issue (it's a privacy issue until/unless you demonstrate that "This can allow manipulation of the temp directories in #SharedObjects which can be exploited remotely.", which you have not) and the adobe bug is already public anyway.

Josh, any idea what's going on here?

Comment 2

[Ofir Moskovitch]

FYI, adding a bit more: the issue only happens if the NPAPI flash player plugin is installed, therefore it's flash plugin related issue like I already mentioned and it's due to a flash session management bug known to adobe.

Adding to Gijs comment, I can confirm that as well as the Manual deletion via the flash player settings panel applet on control panel also clean the #SharedObjects and works.
So no issues with manual mode.

*Superfluous thing to note: since it's too obvious, but I will mention anyway, even when I configure the flash player settings applet panel to block all sites from storing information, it still stores and don't automatically delete the folders once firefox close either.

As mentioned before but in short, 2 Important Points in this bug that affects privacy and security.

1. The Primary point is: Private Mode isn't private when flash temp directories/files are being kept persistent.

2. The Secondary point is: Non-validated flash temp files/directories can be manipulated.

Comment 3

[Ofir Moskovitch]

I have uninstalled flash NPAPI plugin as a permanent workaround and marking it as unsafe to use and let others aware, until the issue will be address either by you or adobe.

Comment 4

[Ofir Moskovitch]

Hi PPL,

Video POC is available here: https://www.youtube.com/watch?v=mz9A8feBpGM

Comment 5

[Josh Matthews [:jdm]]

I don't really know anything about the shutdown sanitization code. Presumably the first place to start investigating is the behaviour of promiseClearPluginCookies in browser/base/content/sanitize.js.

Comment 6

[Ofir Moskovitch]

Bump!

Comment 7

[Daniel Veditz [:dveditz]]

Adobe proposed an extension to NPAPI to inform plugins when the browser is in private browsing mode, which we implemented and they use. If they're getting the "private" mode signal and not cleaning up that's a bug which they'll have to fix.

In the meanwhile you can avoid Flash as you're doing (we're doing our best to provide web alternatives to the most common reasons for using Flash) or install a privacy addon that deletes LSOs like https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/

Comment 8

[Benjamin Smedberg]

Not going to track this in the Mozilla bug tracker. Please follow up with Adobe if appropriate.