Firefox Focus (iOS): Recovery of previous searches across app closure/Browser Clear
Categories
(Focus :: Security: iOS, defect)
Tracking
(Not tracked)
People
(Reporter: remaclematt, Assigned: st3fan)
Details
(Keywords: csectype-other, privacy, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
How was this issue discovered:
- Walking up the stairs to my house I noticed a search term that I had looked up during a conversation with a coworker 3 days prior. I knew full well that I had cleared my history several times since that point in time. Took a screenshot and knew there had to be a way to reproduce the bug. 6 hours to first reproduction of bug, each time got easier and faster. 20h total. I can now consistently reproduce every time.
Hardware: iPhone 6 (16GB)
Software: Firefox Focus (Newest @ 8.1.1 via "About Firefox Focus") running on iOS 12.1.2
Summary: After performing a search for "Term X" and fully closing the app or clearing data through native button, Term X is recoverable in a later session
Steps to Reproduce (see video attachment for context):
- Open Firefox Focus app
- Tap on the text input bar at the top of the page
- Input "donotrecover" and execute search (Actual search term is arbitrary)
- Click on a search result
- Wait for the page for search result to load
- Tap the native app "Back" button to navigate to the previous page
- Wait for the search for "donotrecover" to reload
- Tap the native app "Forward" button to return navigation to the search result we selected
- Wait for page to load
- Double press the "Home" button on your iOS device in rapid succession
- "Flick" the Firefox Focus app off the top of the screen to close it
//This process should clear all history and searches. - Open the Firefox Focus app
- Tap on the text input bar at the top of the page
- Input "jennifer aniston" and execute search (Actual search term is arbitrary)
- Click on a search result
- Wait for the page for search result to load
- Tap the native app "Back" button to navigate to the previous page
- When scrolling down the text bar at the top of the page collapses. When scrolling up the text bar reappears. Using one hand swipe up and down until you find the "sweet spot" where you can catch the text bar in a a middle-state where it appears slightly faded (see video attachment). Continue to hold the app in this scroll position with your first hand.
- Slowly move you hand controlling the scroll position upward until the "Back navigation" button becomes visible
- While keeping the first hand in place, rapidly tap the native navigate "Forward" and "Back" in an alternating order
- Note that the search term "donotrecover" is populated into the text bar
Additional Details:
-Search results utilized are arbitrary, but some are harder to reproduce than others.
-Slow network conditions and large download sizes for search results make reproducing easier
-Using 2 hands to tap screen at same time is not necessary, just more consistent (anecdotally) in reproduction
-Text input box reads "donotrecover", but upon tapping to see actual URL shows a typical google search for "jennifer aniston".
-Recovery of search terms is not limited to n-1, I have achieved as far back as 4 x search-clear-searches
-Sometimes upon reproduction of bug the recovered search term is displayed in the text bar and the words "Frame Load Interrupted" are displayed in the browser window with a blue button containing the words "Try Again" located below it. Tapping "Trying again" has never resulted in any changes.
-Not reproducible in Firefox Focus Android. Upon performing a search the full search URL populates the text bar instead of a user friendly representation of what was typed.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
(In reply to Matthew Remacle from comment #1)
Created attachment 9042358 [details]
Firefox_Focus_Bug.mp4
It looks like bugzilla is not a fan of MP4's. In the case that you you cannot download the video, here is a link to a streamable copy hosted on my OneDrive account.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 3•5 years ago
|
||
Misunderstood this as a "Firefox for iOS" bug (sorry, rushed triage meeting). Since the whole point of Focus is "private browsing" saving things to disk violates the whole point of the product.
Justin pointed to this PR where we do exactly that: https://github.com/mozilla-mobile/focus-ios/pull/1215
[Matthew: I could load the video just fine and it was helpful for this complicated set of steps. Thanks especially for the clear WRITTEN steps, too -- those are even more important.]
Updated•5 years ago
|
Comment 4•5 years ago
|
||
ni? :sblatz who will likely be the engineer fixing this.
Comment 5•5 years ago
|
||
I guess sec-high overstates it from a security POV (it's a local, not remote, attack), but lowering it to sec-moderate doesn't mean it's not important.
Updated•5 years ago
|
Comment 6•5 years ago
|
||
Patch submitted for review: https://github.com/mozilla-mobile/focus-ios/pull/1645
Reporter | ||
Comment 7•5 years ago
|
||
Greatly appreciate the feedback on bug report. More than happy to attempt to reproduce after patch.
"I guess sec-high overstates it from a security POV (it's a local, not remote, attack), but lowering it to sec-moderate doesn't mean it's not important."
As much as I'd like to be on the Mozilla hall of fame with a sec-high bug due to this bug "violating the whole point of the product", i do agree with the above statement to it's severity.
For what it's worth: I did set up a server to feed test cases via server-sent-events in an attempt to abuse [window.history, localstorage, ...] in an attempt to reproduce remotely and found nothing over the past week. Good learning experience though; Such is life.
Very happy with the product overall and intend to run test cases of whatever I come up with against patched version upon release for a few days.
Comment 8•5 years ago
|
||
(In reply to Matthew Remacle from comment #7)
For what it's worth: I did set up a server to feed test cases via server-sent-events in an attempt to abuse [window.history, localstorage, ...] in an attempt to reproduce remotely and found nothing over the past week. Good learning experience though; Such is life.
Yeah, fortunately this bug shouldn't affect anything inside the webview. The concern here is mainly that the last-entered search string is persisted in such a way that could be recovered from the data saved via an iTunes/iCloud backup. But as previously mentioned, the app should never, ever persist this data (as is the entire point of the app). In the meantime, tapping the trash can icon in the top-right corner of the screen before closing the app will guarantee that the data is erased. Once this patch lands, we'll ship an update to erase any previously-saved data and prevent anything from getting saved again in the future.
Thanks again for the super-detailed bug report. Seriously, I can't recall a time I've seen this detailed of a bug report from an end user, so thank you so much for the time and effort you put into it!
Cheers!
Assignee | ||
Comment 9•5 years ago
|
||
Thank you very much for this report Matthew. We are currently testing a fix and we are hoping to roll out an update for Focus and Klar in the coming days. Due to the holidays in Canada and the US, it may not appear until later in the week.
The patch can be found at https://github.com/mozilla-mobile/focus-ios/pull/1645
Assignee | ||
Comment 10•5 years ago
|
||
Assignee | ||
Comment 11•5 years ago
|
||
The patch was reviewed by :justindarc on GitHub.
Updated•5 years ago
|
Assignee | ||
Comment 12•5 years ago
|
||
This shipped in both Focus and Klar 8.1.2.
Assignee | ||
Updated•5 years ago
|
Comment 13•5 years ago
|
||
Stefan: What information did you need from me?
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•4 years ago
|
Description
•