Open Bug 1540565 Opened 5 years ago Updated 5 days ago

TabTracker leaks information about existence of private tabs/windows despite lack of private browsing permission

Categories

(WebExtensions :: General, defect, P3)

Product:
WebExtensions
Component:
General
Version:
66 Branch
Type:
defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-disclosure, sec-other)

Attachments

(2 obsolete files)

There are several APIs that use the TabTracker to map a tabId to a native tab. Since the TabTracker is a singleton and unaware of the extension that is associated with the call, it's possible for an extension to learn whether private browsing mode is being used.

STR:

  1. Visit about:debugging and use "Debug" on any extension with a page action.
    Make sure that the extension does not have access to private browsing mode (feature from bug ).
  2. Run the following snippet to learn the current tab ID.
browser.tabs.create({}, tab => console.log(window.lastTabId = tab.id));
  1. Open a private browsing mode. The ID of that the tab in the new window is the result of step 2, plus one.
  2. Run the following snippet:
// lastTabId from step 2.
browser.tabs.get(lastTabId + 1).then(console.log, console.error);
browser.pageAction.hide(lastTabId + 1).then(() => console.log("tabId is valid"), console.error);

Expected:

  • Error: "Invalid tab ID: 9"
  • Error: "Invalid tab ID: 9"

Actual:

  • Error: "Invalid tab ID: 9"
  • tabId is valid

This difference in output can be used to detect whether there is a private browsing window.

Flags: needinfo?(mixedpuppy)

I reviewed all the use of tabTracker.getTab, outside of the example for determining that there is a private window, I don't see any way for data to leak. If data were to leak from the private window, this would be a high concern.

Priority: -- → P2
Assignee: nobody → mixedpuppy
Flags: needinfo?(mixedpuppy)

this issue seems to already have a patch in work, is something you may pick it up again?

Flags: needinfo?(mixedpuppy)

probably at some point, the patch bitrotted and would have to be reworked. I don't see this as a big problem, but the patch does offer a bit of cleanup.

Flags: needinfo?(mixedpuppy)
Priority: P2 → P3
Severity: normal → S3
See Also: → 1699458
Assignee: mixedpuppy → nobody
Attachment #9069065 - Attachment is obsolete: true

sec-other per bug 1699458 comment 2 and 4

Keywords: sec-lowsec-other
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: