Closed Bug 1658078 Opened 4 years ago Closed 4 years ago

The credential manager leaks identifying information across dFPI's partitions

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 786276

People

(Reporter: englehardt, Unassigned)

References

(Blocks 1 open bug)

Details

The credential manager can be abused to silently leak identifying information across partitions. While a user does need to manually submit credentials at least once to an origin and save them in the credential manager, all future page loads can silently read those credentials from within an iframe.

The attack is similar to the one described here, but the difference is the tracker is retrieving its own credentials from within an iframe rather than retrieving the first parties credentials.

A demo site is available here: https://senglehardt.com/test/dfpi/page_with_credentials.html. Enter credentials and then visit the other top-level sites that embed the same iframe.

The solution proposed in Bug 1427543 seems sufficient. In that case credentials can still be autofilled across sites, but only after user interaction. That significantly limits the potential for abuse.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Hi Steven, this should be fixed by Bug 786276 on the latest Firefox Beta and Nightly version.
Testing on Beta on https://senglehardt.com/test/dfpi/page_with_credentials.html on my end has the following result:
Credentials will not be autofilled for:

  • senglehardt.netlify.app
  • senglehardt.com

But for test.senglehardt.com the email is sniffed. Shouldn't it also just display the form like for the other top-level sites?

Flags: needinfo?(senglehardt)

The fix in Bug 786276 means that we will no longer autofill in cross-origin iframes. The iframe on the senglehardt.com test page is from test.senglehardt.com. Thus, it makes sense that the test.senglehardt.com iframe will autofill when loading under the top-level origin test.senglehardt.com, but not any of the other top-level origins.

But this is actually still a privacy risk from the partitioning perspective: a user may fill out and save credentials on senglehardt.com, not knowing that they're interacting with an iframe from a different origin. This leaks the credentials across origins whenever the iframe's origin is visited as a first-party. Since we don't actually autofill these cross-origin values anymore, it may also make sense for us to stop prompting users to save them. I've filed Bug 1673714 for that.

Flags: needinfo?(senglehardt)
You need to log in before you can comment on or make changes to this bug.