Closed Bug 1647105 Opened 5 years ago Closed 5 years ago

Bing search terms shared across Private Windows in MacOS

Categories

(Firefox :: Private Browsing, task)

Product:
Firefox
Component:
Private Browsing
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1530394

People

(Reporter: alfie, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

I shit a brick when I opened bing.com in a Private Window only to see my previous private searches. Like angrily a big wtf...

I tried the following in Chrome but it safely did not replicate the issue:

  • open bing.com in Firefox with a private window
  • type: mint tea
  • close window
  • open bing.com in Firefox with a private window
  • type: m

Drum-roll... "mint tea" is displayed as a previous search term. I believe this is so dangerous for end users for a million reasons!

When a user completes their "Private Window" session, they close the window thinking that all their previous browsing has been wiped from the Earth. However, under MacOS, the parent process sticks around. What looks like is happening is that either auto-fill or client-side state is saved to get shared with future Private Windows. That doesn't sound private to me. I believe that this dangerously incorrect, akin to a Sandbox Escape.

Thanks,

Alfie

Flags: sec-bounty?

I can't reproduce. Can you try again in a clean secondary Firefox profile (https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles ) ?

Is it possible there was another private window still open while you were doing this? Private browsing history is per "session", and as long as any private window is open, private history / session data remains accessible to that window and any new private windows you open. Chrome does the same thing.

Component: Security → Private Browsing
Flags: needinfo?(alfie)

Hi,

Thanks for that. Looks like when I don't have other Private Windows open, it's not repeatable.

Curious though, I don't think at the time I reported this that I had any other Private Windows open. The problem I have here is that I have 5 desktops across two screens. To me, this is dangerous if users have to keep tabs on each Window across desktops across screens when users would expect that their privacy is kept per-Window and not shared across other Windows on other desktops.

And don't take my word for it, here's a link to your own FAQ on Private Browsing (emphasis mine):

https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing?as=u&utm_source=inproduct

Myth 2: Private Browsing removes all traces of your browsing activity from your computer.

Reality: Private Browsing works by letting you browse without saving cookies and browsing history, **in a private window**.

This should probably be changed to "in a private window when you also have no other private windows open at the same time".

How could I file a public bug to discuss the dangers of this design choice and advocate for this current behaviour to be changed?

Flags: needinfo?(alfie)

(In reply to alfie from comment #2)

Hi,

Thanks for that. Looks like when I don't have other Private Windows open, it's not repeatable.

Curious though, I don't think at the time I reported this that I had any other Private Windows open. The problem I have here is that I have 5 desktops across two screens. To me, this is dangerous if users have to keep tabs on each Window across desktops across screens when users would expect that their privacy is kept per-Window and not shared across other Windows on other desktops.

And don't take my word for it, here's a link to your own FAQ on Private Browsing (emphasis mine):

https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing?as=u&utm_source=inproduct

Myth 2: Private Browsing removes all traces of your browsing activity from your computer.

Reality: Private Browsing works by letting you browse without saving cookies and browsing history, **in a private window**.

This should probably be changed to "in a private window when you also have no other private windows open at the same time".

The language is accurate as-is, I'd argue. Cookies and history are not saved permanently for any private window, independent of how many you have open - but they are usable within all of those private windows, and they are forgotten when the last private window closes. If we never saved any information at all, that would break basic assumptions like being able to log in (at all!) to any websites, or bypass any of those annoying "make a choice about cookies" dialogs.
If every window was treated separately, it's not clear what should happen if you e.g. pop out an email you're composing in a private window, or move a tab from a private window into its own new window - does it share state with the original window (presumably yes?); how would you represent that to the user? So aside from the technical issues, this isn't a straightforward problem to solve.

How could I file a public bug to discuss the dangers of this design choice and advocate for this current behaviour to be changed?

There is already such a bug, bug 1530394. I'll dupe this one over. Do you have any objection to this bug becoming public? It doesn't seem to contain any private data (unless you are especially protective of your love of mint tea? :-) ).

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(alfie)
Resolution: --- → DUPLICATE

Thanks for explanation. Yep, I can see it's not as easy to solve as I originally thought :(

Happy to open this one up publicly, and happy for you to close this ticket.

Go mint tea!!

Flags: needinfo?(alfie)
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.