Closed Bug 1657251 Opened 1 year ago Closed 1 year ago

Favicon request in Fenix sends cookie and shares the value with private browsing mode

Categories

(Fenix :: Security: Android, defect)

defect

Tracking

(firefox79 verified, firefox80 verified)

RESOLVED FIXED
Tracking Status
firefox79 --- verified
firefox80 --- verified

People

(Reporter: sdna.muneaki.nishimura, Assigned: sebastian)

References

()

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

Attached image favicon_tracker.gif

Icon loader in Fenix enables cookie and shares the cookie store with private browsing mode (below).
https://github.com/mozilla-mobile/android-components/blob/16823b9010d74bf1a5642fd937725fe1ade3f5e5/components/browser/icons/src/main/java/mozilla/components/browser/icons/loader/HttpIconLoader.kt#L46

That allows website to track his/her users even when they use private browsing mode.

Here is the reproduction way (see attached image for the demo).

  1. Launch http://csrf.jp/2020/favicon/
  2. Set your name to form and submit. Then welcome.php is shown
  3. welcome.php has <link rel="icon"> tag for tracker.php
  4. Fenix tries to retrieve favicon to tracker.php and then tracking cookie is set by the response
  5. Open private browsing mode
  6. Launch http://csrf.jp/2020/favicon/welcome.php again.
    Then Fenix sends HTTP request to tracker.php with tracking cookie set at 4)

As far as I checked, Firefox PC and iOS doesn't send.
Fenix should do the same thing.

Flags: sec-bounty?

Not sure if this is a GeckoView problem or a fenix problem. Adding snorp and Sebastian

Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → Security: Android
Product: Firefox → Fenix

Sending cookies with favicon isn't what we want, but by itself not so bad. Sharing the cookie with PB is worse. setting sec-moderate assuming the cookie can be SET in private browsing (breaking the promise of that mode). If it's only sent if it happens to exist because set in normal browsing then it's probably sec-low.

Flags: needinfo?(snorp)
Flags: needinfo?(s.kaspari)

I think a-c just needs to pass FETCH_FLAGS_ANONYMOUS or FETCH_FLAGS_PRIVATE for favicon fetches.

Flags: needinfo?(snorp)

Oops, apparently PRIVATE isn't actually available. ANONYMOUS will avoid the cookies being sent at least.

(In reply to Daniel Veditz [:dveditz] from comment #2)

Sharing the cookie with PB is worse. setting sec-moderate assuming the cookie can be SET in private browsing (breaking the promise of that mode).
Yes, your understanding is correct. Cookie can be set in private mode.
Even if user sets all checks in "Delete browsing data on quit", the cookie recorded in private mode is not removed.
That is also sent through favicon requests in normal mode after restart of Fenix.

Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
Flags: needinfo?(s.kaspari)

I'll take it. Our favicon code already knows about private tabs (to not save anything to disk), so I assume this should be easy to add.

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) (he/him) from comment #3)

I think a-c just needs to pass FETCH_FLAGS_ANONYMOUS or FETCH_FLAGS_PRIVATE for favicon fetches.

(In reply to Daniel Veditz [:dveditz] from comment #2)

Sending cookies with favicon isn't what we want, but by itself not so bad.

Just to clarify: Do we want ALL favicon fetches to use that flag? Or should we only use it for favicons of private tabs?

Attachment #9168856 - Flags: sec-approval?
Attachment #9168856 - Flags: review?(snorp)
Attachment #9168856 - Flags: review?(csadilek)
Attachment #9168856 - Flags: sec-approval?
Attachment #9168856 - Flags: review?(csadilek) → review+

Patch for this landed in AC 48/52 and was part of Fenix build 79.0.3 and 80.0.0 Beta 5.

Verified on 79.0.3 & Beta 80.0.0-beta 5, following the STR from the description:
There appears to be a different response header on different devices I've tried:

Pixel 4 (Android 10):

  • on 79.0.3, in PB there is no Set-Cookie response & no tracker.php created.
  • on 80.0.0-beta5, in PB there is a Set-Cookie response & tracker.php created.

Nexus 6P, Android 8.1, x86 emulator:

  • Set-cookie response sent with the correct value and tracker.php is created, in PB, on both versions

*I've added 2 screenshots with the different response headers on the 2 builds.

The cookie set in normal browsing is not visible on neither of them while in private mode, so that is fixed.
Agreed with Sebastian I'll add this to https://github.com/mozilla-mobile/android-components/issues/7719 for further investigation.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.