Closed Bug 1658231 Opened 4 years ago Closed 4 years ago

Web Notification API in Fenix shares private mode cookie with normal mode

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox79 verified, firefox80 verified)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox79 --- verified
firefox80 --- verified

People

(Reporter: sdna.muneaki.nishimura, Assigned: royang)

References

(
URL
)

Details

(Keywords: csectype-disclosure, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

notification_tracker.gif
1.48 MB, image/gif
Details
webnotification_private_1.patch
2.59 KB, patch
Details | Diff | Splinter Review
webnotification_private_2.patch
902 bytes, patch
snorp
: review+
Details | Diff | Splinter Review
webnotification_private_3.patch
1.66 KB, patch
snorp
: review+
Details | Diff | Splinter Review

Similar to Bug 1657251, icon request of Web Notification API in Fenix shares private browsing mode cookie with normal browsing mode. Also the cookie value is kept after restart even when Delete browsing data on quit is enabled.
The reason is that icon request is sent from native code and that shares cookie store between private and normal mode. Also, it that cookie store is not in scoped of Delete browsing data on quit feature.
https://github.com/mozilla-mobile/android-components/blob/master/components/feature/webnotifications/src/main/java/mozilla/components/feature/webnotifications/NativeNotificationBridge.kt#L74

That allows website to track his/her users even when they use private browsing mode.

Here is the reproduction way (see attached image for the demo).

  1. Launch https://csrf.jp/2020/notification in normal browsing mode
  2. Set the name 'public' to form and submit
  3. Tap "Enable Notification" button and allow for the domain
  4. Launch https://csrf.jp/2020/notification in private browsing mode
  5. Set the name 'private' to form and submit
  6. Tap "Enable Notification" button again and allow for the domain
  7. Tap "Show Notification" button (in private mode tab)
  8. Fenix tries to retrieve icon to tracker.php and then tracking cookie user=private is set by the response
  9. Open the normal browsing mode tab 1)
  10. Tap "Show Notification" button (in normal mode tab)
  11. Fenix sends icon request to tracker.php with user=private in cookie that is set by 8)
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → Security: Android
Product: Firefox → Fenix

As suggested, all web notification icon request will be set to private so we don't send cookies in the request.

Assignee: nobody → royang
Attachment #9169249 - Flags: review?(snorp)
Attachment #9169249 - Flags: review?(s.kaspari)
Comment on attachment 9169249 [details] [diff] [review] webnotification_private_1.patch Review of attachment 9169249 [details] [diff] [review]: ----------------------------------------------------------------- ::: components/browser/icons/src/main/java/mozilla/components/browser/icons/loader/HttpIconLoader.kt @@ +43,4 @@ > val downloadRequest = Request( > url = resource.url, > method = Request.Method.GET, > + cookiePolicy = if (request.isPrivate) Request.CookiePolicy.OMIT else Request.CookiePolicy.INCLUDE, I think you probably just want to set this to `OMIT` all the time.

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) (he/him) from comment #2)

I think you probably just want to set this to OMIT all the time.

I see. I've attached a new patch. Thanks

Attachment #9169259 - Flags: review?(snorp)
Attachment #9169259 - Flags: review?(s.kaspari)
Attachment #9169259 - Flags: review?(snorp) → review+
Comment on attachment 9169259 [details] [diff] [review] webnotification_private_2.patch Review of attachment 9169259 [details] [diff] [review]: ----------------------------------------------------------------- HttpIconLoader was already patched in `master` and all release branches in bug 1657251. Does this patch still apply on the latest master state?

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) (he/him) from comment #2)

I think you probably just want to set this to OMIT all the time.

In bug 1657251 we patched it to be conditional?

Updated to work with latest master

Attachment #9169444 - Flags: review?(snorp)
Attachment #9169444 - Flags: review?(s.kaspari)
Attachment #9169444 - Flags: review?(snorp) → review+

Verified as fixed on both RC 79.0.5 & Beta 80.0.1 builds: the private cookie is not shown in normal browsing mode.

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox79: --- → verified
status-firefox80: --- → verified
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+

Given the user interaction requirements (users rarely grant notification permission -- single digit percentages, and lots of users block requests for all domains) we're not sure this strictly qualifies for the bounty, but we are appreciative of being able to fix this privacy issue.

Attachment #9169259 - Flags: review?(s.kaspari)
Attachment #9169249 - Flags: review?(s.kaspari)
Attachment #9169444 - Flags: review?(s.kaspari)
Group: core-security-release
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: