Closed Bug 1549394 (CVE-2019-17018) Opened 5 years ago Closed 5 years ago

Potential privacy leak from Win10 keyboard autocomplete of data entered in Private Browsing

Categories

(Core :: Widget: Win32, defect, P3)

Product:
Core
Component:
Widget: Win32
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox72 --- fixed

People

(Reporter: jesup, Assigned: m_kato)

References

Details

(4 keywords, Whiteboard: [adv-main72+])

Attachments

(3 files, 1 obsolete file)

Bug 1549394 - Part 1. Clean up input scope support for IMM32.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1549394 - Part 2. Set IS_PRIVATE input scope in private browsing.
47 bytes, text/x-phabricator-request
Details | Review
advisory.txt
217 bytes, text/plain
Details

Chrome is expected to fix a privacy leak from Incognito mode to normal browsing via the keyboard learning autocomplete data and exposing it in the normal browsing context. See https://hothardware.com/news/micrsoft-chromium-fixes (latter part).

Basically, we should be using IS_PRIVATE as the input scope in Private Browsing on windows to avoid the Win10 keyboard from learning from input and offering as corrections or autocomplete data when we're not in Private Browsing.

See https://docs.microsoft.com/en-us/windows/desktop/api/inputscope/ne-inputscope-inputscope

AFAICT this would need to live in WinIMEHandler.cpp and TSFTextStore.cpp, and would be relatively straightforward to do once we figure out how to go from the window/widget ref to "is this window in private browsing".

status-firefox66: --- → wontfix
status-firefox67: --- → affected

We should also use it for password fields in NON-private browsing (unless we're using IS_PASSWORD and that does the same, although it's deprecated now).

Keywords: privacy

The priority flag is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)
Flags: needinfo?(jmathies)
Keywords: inputmethod
Priority: -- → P3

3 years ago, although I investigated IS_PRIVATE flag support for MS-IME, IME didn't see this flag and IME called LCIEIsCurrentProcessInPrivate to detect whether IE/Edge is private mode. If MS-IME supports IS_PRIVATE, we should support it.

When I test Chrome Canary 80 with Windows 10 Build 1903, incognito mode on Chrome won't change to IME private mode. And this is same result even if using Insider build 18990.

See Also: → 1269295

Makoto-san, currently, MS-IME is being redesigned as you know. How about to request it via Feedback Hub? If you file it, I'll tell the feedback URL to the engineers.

Flags: needinfo?(m_kato)

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #5)

Makoto-san, currently, MS-IME is being redesigned as you know. How about to request it via Feedback Hub? If you file it, I'll tell the feedback URL to the engineers.

https://aka.ms/AA6eu0q

When I talked with Yukawa-san when he came to Japan, he said, "Although I approved this patch, I didn't know whether MS-IME supported private mode by IS_PRIVATE really."

Flags: needinfo?(m_kato)
See Also: 1269295

Use AutoTArray to set input scope.

Microsoft IME on Windows 10 20H1 (build 19025+) supports IME private mode by
input scope. Although previous Windows version uses undocumented API for
Edge and IE only, next Windows will use public API for it.

So let's use IS_PRIVATE input scope in private browsing mode.

Depends on D53917

Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/fb2f4ca36af4
Part 1. Clean up input scope support for IMM32. r=masayuki
https://hg.mozilla.org/integration/autoland/rev/5da3dcd12b69
Part 2. Set IS_PRIVATE input scope in private browsing. r=masayuki

Sorry for the mingw failure. We had a similar one of these recently, you can follow that pattern to fix it.

File a bug like Bug 1597739 blocking mingw-clang
Stick in a mingw hack-around: https://hg.mozilla.org/mozilla-central/rev/ba86d1b7d2a5

Backout by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/85e1dc70361e
Backed out 2 changesets for MinGW bustages at TSFTextStore.cpp. CLOSED TREE

MinGW doesn't have IS_PRIVATE (Why?). So re-landed this using MINGW32

Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/4cbaf7e27c2e
Part 1. Clean up input scope support for IMM32. r=masayuki
https://hg.mozilla.org/integration/autoland/rev/f081bea8c605
Part 2. Set IS_PRIVATE input scope in private browsing. r=masayuki

https://hg.mozilla.org/mozilla-central/rev/4cbaf7e27c2e
https://hg.mozilla.org/mozilla-central/rev/f081bea8c605

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
QA Whiteboard: [qa-72b-p2]
Whiteboard: [adv-main72+]
Attached file advisory.txt
Attachment #9114961 - Attachment is obsolete: true
Alias: CVE-2019-17018
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: