Closed Bug 1646756 (CVE-2020-12414) Opened 4 years ago Closed 4 years ago

Private window in firefox for iOS persists IndexedDB after closing all the tabs

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Platform:
Other
iOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 27 ---

People

(Reporter: modi.konark, Assigned: garvan)

Details

(Keywords: csectype-disclosure, privacy, sec-moderate)

Attachments

(1 file)

advisory.txt
300 bytes, text/plain
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

Steps to reproduce:

  1. Go to Firefox settings and enable "Close Private tabs when leaving private browsing".
  2. Open a private tab.
  3. Open the following page: https://cdn.cliqz.com/browser-f/fun-demo/test-webworker-indexed-db.html, the counter in the section Loading as first-party should increment:
    Visit count from worker:
    Normal webpage count:
  4. Close the tab + Close the private window.
  5. Open the private window again, no previous tabs are there
  6. Open the above link again, now the counters are incremented from where last left off.
  7. Even if you press the icon "Clear Tabs", and visit the page again, the counters are not cleared.

Actual results:

It seems that IndexedDB somehow persists, even when private window is closed.

  1. This enabled the websites to track the users, across private window sessions.
  2. As a Low impact, the history is also retained somewhere on the device, but on mobile devices, disk leaks are hard to exploit.

Expected results:

As a user the expectation was that the on clearing tabs or closing the private window, no data/history is persisted.

Also tried the same with localStorage, and that seems to be cleared as expected.
Tried other browsers like Chrome, Safari, they also seem to behave as expected - closing private window/tabs clears memory.

Garvan: do we have any control over what happens with what Private/incognito webviews save or don't save on iOS?

Flags: needinfo?(gkeeley)
Keywords: csectype-disclosure, privacy, sec-moderate
Flags: needinfo?(gkeeley)

we use WKWebView WKWebsiteDataStore.nonPersistent() https://github.com/mozilla-mobile/firefox-ios/blob/1104a4fa58e43eb73eb8e02d3ec9b0505d830356/Client/Frontend/Browser/TabManager.swift#L74

That is all that should be needed according to the docs https://developer.apple.com/documentation/webkit/wkwebsitedatastore/1532934-nonpersistent

I agree other iOS browsers don't have this bug. It may be that we need to ensure no live webviews exist when exiting PB mode, there was a bug in the past with private mode that was related to this. Or, other browsers are doing extra undocumented steps to clear the PB state.

Note to look at what extra steps Brave iOS is doing https://github.com/brave/brave-ios/pull/1989/files

I see the bug, the TabWebView gets the configuration to set to non-persistent after WKWebView construction (which looks reasonable because this is a mutable property). If I set the WKWebViewConfiguration to nonPersistent before using it to construct the TabWebView it fixes it.
PR forthcoming.

Assignee: nobody → gkeeley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

I think the user expectation is that when all private tabs are closed (in any way that could happen), the private session should be terminated and a new one should be created when another private tab will be created. This currently cannot happen as the WKWebView configuration is created only once https://github.com/mozilla-mobile/firefox-ios/blob/b680b35533d502136d942127c30738847ace4eae/Client/Frontend/Browser/TabManager.swift#L87 and is resued for instances of private tabs.

The configuration property should probably be cleared whenever number of private tabs goes to 0.

(In reply to Krzysztof Jan Modras [:chrmod] from comment #5)

I think the user expectation is that when all private tabs are closed (in any way that could happen), the private session should be terminated and a new one should be created when another private tab will be created. This currently cannot happen as the WKWebView configuration is created only once https://github.com/mozilla-mobile/firefox-ios/blob/b680b35533d502136d942127c30738847ace4eae/Client/Frontend/Browser/TabManager.swift#L87 and is resued for instances of private tabs.

The configuration property should probably be cleared whenever number of private tabs goes to 0.

I agree it should be changed to work this way

Landed, set bugzilla ios tracking flag to v27

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
tracking-fxios: --- → 27
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Attached file advisory.txt
Alias: CVE-2020-12414
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: