Closed Bug 1491627 Opened 4 years ago Closed 2 years ago

FireFox for Android doesn't protect master password screen with FLAG_SECURE

Categories

(Firefox for Android Graveyard :: General, defect, P3)

ARM
Android
defect

Tracking

(firefox66 wontfix, firefox67 affected, firefox68 affected)

RESOLVED INCOMPLETE
Tracking Status
firefox66 --- wontfix
firefox67 --- affected
firefox68 --- affected

People

(Reporter: research, Unassigned)

Details

(Keywords: sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

FLAG_SECURE is normally used to prevent screenshots from being taken. The FireFox browser app for Android does not use this for the settings screen, specifically for the master password.

To reproduce, install the app, go to settings, privacy, master pasword and take a screenshot by pressing Power + Volume down.

To fix, FLAG_SECURE should be applied. More details in my blog post here:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/

Related issues fixed in Chrome and Android OS:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243

This was originally reported to the Tor project - they suggested I should also let Mozilla know. Tor report # 409693.
Flags: sec-bounty?
Related to bug # 1314776
Component: Security → General
Product: Firefox → Firefox for Android
Group: firefox-core-security
Minusing for the bounty program as sec-low rated issues do not qualify for bounties.
Flags: sec-bounty? → sec-bounty-

Hi,

The issue has been reproduced.

Environment
Device: Tablet - Google Pixel C, Android(7.0.0)
Build: Firefox Beta (67.0b18) and Firefox Nightly 68.0a1 (2019-05-08)

Regards,
Diana Rus

OS: Unspecified → Android
Hardware: Unspecified → ARM
Status: UNCONFIRMED → NEW
Ever confirmed: true
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.