RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: Sami Bakhour, Unassigned)

Tracking

47 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160604131506

Steps to reproduce:

1. Go to www.google.com
2. Searched for "~@gmail.com" '$password' => filetype:log
3. Went to page number 7 in google search " https://www.google.com/search?q=%22~%40gmail.com%22+%27%24password%27+%3D%3E+filetype:log&biw=1366&bih=638&noj=1&ei=z4iCV6nPE9Oja82EtLAL&start=60&sa=N" 
4. Found https://people.mozilla.org/~nalexander/


Actual results:

Found information that are not supposed to be for public


Expected results:

The page should not be visible to others or password protected
Group: firefox-core-security
Flags: needinfo?(nalexander)
Hi folks, these logs look bad 'cuz they're Android system logs, so they include a lot of noise, which in this case included my @gmail.com address and logging about Fennec's Sync PasswordProvider.  This is just logging about the operation of the module and doesn't include any *actual* passwords.  Firefox for Android is very careful to never leak PII to the log (you can with a special flag, but our users don't use that).  (If we do, that's a serious bug.  But I'm quite confident we don't, and those logs definitely don't.)  Finally, I don't run Sync against my actual email account, precisely to not mix work and play in logs like this.

In any case, I've deleted the logs, in case I missed something.  Thanks for the report, Sami!
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(nalexander)
Resolution: --- → INVALID

Updated

a year ago
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.