Closed Bug 1436432 Opened 7 years ago Closed 7 years ago

Currently viewed webpage (even in Private browsing!) is shared to other devices via IOS Handoff

Categories

(Firefox for iOS :: Browser, defect, P1)

Product:
Firefox for iOS
Component:
Browser
Platform:
Other
iOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
fxios 11.0 ---
fxios-v11.0 --- verified

People

(Reporter: brian, Assigned: justindarc)

Details

(Keywords: privacy, reporter-external)

Attachments

(2 files)

Screencaps of iPhone Firefox PRIVATE tab sending webpage to Safari on iPad via handoff
1.05 MB, image/png
Details
GitHub Pull Request
55 bytes, text/x-github-pull-request
jhugman
: review+
jhugman
: feedback+
Details | Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: Opened any webpage (eg. www.cheese.com) in a normal or PRIVATE tab in Firefox my Apple IPhone (IOS11.2.4). Then, on my Apple iPad (IOS11.2.4) the handoff function on the dock will open that same webpage (eg. www.cheese.com) in a Safari window. Actual results: As described above. My iPad is a shared device with other family members, which could potentially inadvertently see my current PRIVATE browsing via the handoff feature. Expected results: Firefox private tab browsing should absolutely NOT be shared to other devices. I don't want anyone else who uses my shared devices to know how much I love cheese.com
Correction for accuracy: these are the actual iOS versions running on the affected devices in the original report: iPhone: 11.2.2 (15C202) iPad: 11.2.1 (15C153) I'm not sure what iOS versions are affected by this issue.
Thanks for the report Brian. Confirming that this is reproducible on 10.6 and 11.0(8861). We should not share Private Tabs via Handoff.
Status: UNCONFIRMED → NEW
status-fxios-v11.0: --- → affected
tracking-fxios: --- → ?
Ever confirmed: true
Assignee: nobody → jdarcangelo
Status: NEW → ASSIGNED
tracking-fxios: ?11.0
Priority: -- → P1
Attached file GitHub Pull Request
Attachment #8952816 - Flags: review?(jhugman)
Comment on attachment 8952816 [details] [review] GitHub Pull Request Feedback in PR. R? again when ready.
Attachment #8952816 - Flags: review?(jhugman) → feedback+
Comment on attachment 8952816 [details] [review] GitHub Pull Request Upgrades to `siteURL` from metadata parser now (when available).
Attachment #8952816 - Flags: review?(jhugman)
Attachment #8952816 - Flags: review?(jhugman) → review+
Verifying as fix on master 6672352af5. Tabs from Private Browsing are no longer shared via Handoff.
Verifying as fix on 11.0(9266).
Status: RESOLVED → VERIFIED
status-fxios-v11.0: affectedverified
This is a valid privacy concern, but is not a potential exploit of the type that our Bug Bounty program covers.
Flags: sec-bounty? → sec-bounty-
Keywords: privacy
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: