Closed
Bug 1414153
Opened 7 years ago
Closed 7 years ago
Fingerprintable information is leaked when using "Send Tab to Device" feature
Categories
(Firefox :: Sync, defect, P1)
Tracking
()
RESOLVED
FIXED
Firefox 59
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | unaffected |
| firefox58 | --- | fixed |
| firefox59 | --- | fixed |
People
(Reporter: TomGrab, Assigned: lina)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fingerprinting])
Attachments
(1 file)
|
59 bytes,
text/x-review-board-request
|
eoger
:
review+
gchang
:
approval-mozilla-beta+
|
Details |
Steps to reproduce:
1. Install two Firefox browsers:
Fx1 with privacy.resistFingerprinting set to true
Fx2 with privacy.resistFingerprinting set to false
2. Configure Sync between these two browsers
3. On Fx1 go to https://browserleaks.com/javascript
4. Once the page loads, right-click on the tab, and select "Send Tab to Device", then send it to Fx2
Expected results:
There should be warning informing user that sending this tab to Fx2 will result in that browser automatically downloading this page and allowing fingerprinting.
Actual result:
User is not informed that Fx2 doesn't have privacy.resistFingerprinting enabled, and instead forces Fx2 to load the page and reveal fingerprintable information to the website.
|
||
Comment 1•7 years ago
|
||
I wonder if it would also make sense to sync the "privacy.resistFingerprinting" pref, to make it less likely for this to occur.
|
||
Updated•7 years ago
|
Priority: -- → P1
|
||
Updated•7 years ago
|
Whiteboard: [fingerprinting]
|
||
Comment 2•7 years ago
|
||
(In reply to Ryan Kelly [:rfkelly] from comment #1)
> I wonder if it would also make sense to sync the
> "privacy.resistFingerprinting" pref, to make it less likely for this to
> occur.
I think we probably should do that, but note that synced preferences aren't applied on mobile devices.
TBH though, beyond the fact we should sync that pref, I'm a little skeptical that this is actually a bug. The user has 2 devices and has only configured one to resist fingerprinting. Any and all URLs opened on that second device will be opened without fingerprint resistance. Further, there is nothing in the "send tab" mechanism that would allow correlation between those 2 devices (which isn't actually the point of that pref anyway) - the tab is opened on that second device as though they had typed that URL in the address bar. So I don't understand why "send tab" is special here.
|
Reporter | |
Comment 3•7 years ago
|
||
The problem is that, unlike typing URL and hitting Enter, it is not necessary clear to the user that sending this tab will make the other computer load it automatically and leave fingerprints. Depending on the reason they turned anti-fingerprinting on, having another computer owned by this user leave fingerprints can be undesirable - especially if both devices are on the same LAN behind a NAT and use the same external IP address.
My expectation is that when I have anti-fingerprinting on, the browser should warn me if I'm trying to do something that will enable the website to identify me. In this sense, it is similar to how we already warn users when websites want to retrieve for example their HTML canvas.
Ultimately the question is what are we trying to protect here: the device or the user? My understanding is that we are trying to protect the user, and this user can own many devices that can leak fingerprints. And so we should put a warning when one of user's devices are about to get fingerprinted.
Does this bug affect Firefox 57?
status-firefox57:
--- → ?
Flags: needinfo?(tgrabowski)
|
|
Reporter | |
Comment 5•7 years ago
|
||
(In reply to Anthony Hughes (:ashughes) [QA] from comment #4)
> Does this bug affect Firefox 57?
No.
Flags: needinfo?(tgrabowski)
|
|
Reporter | |
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Assignee: nobody → kit
|
Assignee | |
Comment 6•7 years ago
|
||
I think syncing the `privacy.resistFingerprinting` pref by default is an easy fix, and we should absolutely do that.
It's trickier if you send a tab to Android or iOS, which don't sync prefs. It's also possible for the user to disable pref syncing. I'm not sure it's worth adding UI here, since it's possible for synced URLs to leak fingerprinting info in other ways. For example, Activity Stream might do a background fetch to generate thumbnails on other devices, or we might want to fetch favicons for synced sites in the background.
That said, if we decide some UI is necessary here, we could show a toast notification after you send a tab, with an option to "undo" the send. There's still an inherent race between undo and the other device syncing, so we could show the toast first, and require an extra click to send the tab. I'd prefer to avoid this if we can, though. WDYT, Tom?
Flags: needinfo?(tgrabowski)
|
|
Reporter | |
Comment 7•7 years ago
|
||
How does the "preference syncing" work exactly?
Flags: needinfo?(tgrabowski)
|
|
Assignee | |
Comment 8•7 years ago
|
||
It syncs a subset of about:config prefs, Desktop to Desktop. (You can see all the prefs we currently sync if you search for `services.sync.prefs.sync.`).
|
|
Reporter | |
Comment 9•7 years ago
|
||
Thank you Kit for clarifying. If syncing the preference is the easiest way to fix this issue, then I think we should go ahead and implement it. This will cover most of our users.
If we decide that we also want to address this issue for Android and iOS users, then that can be handled in a separate ticket in the future.
| Comment hidden (mozreview-request) |
|
||
Comment 11•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8930176 [details]
Bug 1414153 - Sync the `privacy.resistFingerprinting` pref by default.
https://reviewboard.mozilla.org/r/201332/#review206466
Attachment #8930176 -
Flags: review?(eoger) → review+
|
||
Comment 12•7 years ago
|
||
Pushed by kcambridge@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da5ab75b0e9b
Sync the `privacy.resistFingerprinting` pref by default. r=eoger
|
||
Comment 13•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 59
|
|
||
Comment 14•7 years ago
|
||
Thanks for fixing this. :)
|
||
Comment 15•7 years ago
|
||
Please request uplift if you want this in 58.
|
|
||
Comment 16•7 years ago
|
||
Comment on attachment 8930176 [details]
Bug 1414153 - Sync the `privacy.resistFingerprinting` pref by default.
Approval Request Comment
[Feature/Bug causing the regression]: n/a
[User impact if declined]: As described in this bug, users may be surprised if they enable fingerprint resistance in one profile but not another and these 2 are connected by Sync.
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: A trivial patch that adds a single preference name to the list of preferences synced by Sync.
[String changes made/needed]:
Attachment #8930176 -
Flags: approval-mozilla-beta?
|
||
Comment 17•7 years ago
|
||
Comment on attachment 8930176 [details]
Bug 1414153 - Sync the `privacy.resistFingerprinting` pref by default.
Take this to keep consistency in different devices. Beta58+.
Attachment #8930176 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•7 years ago
|
|
||
Comment 18•7 years ago
|
||
| bugherder uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•