Closed
Bug 1491627
Opened 6 years ago
Closed 4 years ago
FireFox for Android doesn't protect master password screen with FLAG_SECURE
Categories
(Firefox for Android Graveyard :: General, defect, P3)
Tracking
(firefox66 wontfix, firefox67 affected, firefox68 affected)
RESOLVED
INCOMPLETE
People
(Reporter: research, Unassigned)
Details
(Keywords: reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
FLAG_SECURE is normally used to prevent screenshots from being taken. The FireFox browser app for Android does not use this for the settings screen, specifically for the master password.
To reproduce, install the app, go to settings, privacy, master pasword and take a screenshot by pressing Power + Volume down.
To fix, FLAG_SECURE should be applied. More details in my blog post here:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/
Related issues fixed in Chrome and Android OS:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243
This was originally reported to the Tor project - they suggested I should also let Mozilla know. Tor report # 409693.
Flags: sec-bounty?
Related to bug # 1314776
Updated•6 years ago
|
Component: Security → General
Product: Firefox → Firefox for Android
Updated•6 years ago
|
Group: firefox-core-security
Comment 2•6 years ago
|
||
Minusing for the bounty program as sec-low rated issues do not qualify for bounties.
Flags: sec-bounty? → sec-bounty-
Updated•6 years ago
|
status-firefox66:
--- → wontfix
status-firefox67:
--- → ?
Updated•6 years ago
|
Priority: -- → P3
Hi,
The issue has been reproduced.
Environment
Device: Tablet - Google Pixel C, Android(7.0.0)
Build: Firefox Beta (67.0b18) and Firefox Nightly 68.0a1 (2019-05-08)
Regards,
Diana Rus
Comment 4•4 years ago
|
||
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•