Closed Bug 1491627 Opened 5 years ago Closed 3 years ago
Fox for Android doesn't protect master password screen with FLAG _SECURE
FLAG_SECURE is normally used to prevent screenshots from being taken. The FireFox browser app for Android does not use this for the settings screen, specifically for the master password. To reproduce, install the app, go to settings, privacy, master pasword and take a screenshot by pressing Power + Volume down. To fix, FLAG_SECURE should be applied. More details in my blog post here: https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/ Related issues fixed in Chrome and Android OS: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5082 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243 This was originally reported to the Tor project - they suggested I should also let Mozilla know. Tor report # 409693.
Related to bug # 1314776
Component: Security → General
Product: Firefox → Firefox for Android
Minusing for the bounty program as sec-low rated issues do not qualify for bounties.
Flags: sec-bounty? → sec-bounty-
Priority: -- → P3
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.