TabTracker leaks information about existence of private tabs/windows despite lack of private browsing permission
Categories
(WebExtensions :: General, defect, P3)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-disclosure, sec-other)
Attachments
(2 obsolete files)
There are several APIs that use the TabTracker
to map a tabId to a native tab. Since the TabTracker
is a singleton and unaware of the extension that is associated with the call, it's possible for an extension to learn whether private browsing mode is being used.
STR:
- Visit
about:debugging
and use "Debug" on any extension with a page action.
Make sure that the extension does not have access to private browsing mode (feature from bug ). - Run the following snippet to learn the current tab ID.
browser.tabs.create({}, tab => console.log(window.lastTabId = tab.id));
- Open a private browsing mode. The ID of that the tab in the new window is the result of step 2, plus one.
- Run the following snippet:
// lastTabId from step 2.
browser.tabs.get(lastTabId + 1).then(console.log, console.error);
browser.pageAction.hide(lastTabId + 1).then(() => console.log("tabId is valid"), console.error);
Expected:
Error: "Invalid tab ID: 9"
Error: "Invalid tab ID: 9"
Actual:
Error: "Invalid tab ID: 9"
tabId is valid
This difference in output can be used to detect whether there is a private browsing window.
Updated•5 years ago
|
Comment 1•5 years ago
|
||
I reviewed all the use of tabTracker.getTab, outside of the example for determining that there is a private window, I don't see any way for data to leak. If data were to leak from the private window, this would be a high concern.
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Comment 4•5 years ago
|
||
Updated•5 years ago
|
Comment 5•4 years ago
|
||
this issue seems to already have a patch in work, is something you may pick it up again?
Comment 6•4 years ago
|
||
probably at some point, the patch bitrotted and would have to be reworked. I don't see this as a big problem, but the patch does offer a bit of cleanup.
Updated•2 years ago
|
Updated•3 months ago
|
Updated•3 months ago
|
Updated•5 days ago
|
Comment 7•5 days ago
|
||
sec-other per bug 1699458 comment 2 and 4
Description
•