Closed Bug 1665635 Opened 4 years ago Closed 4 years ago

Icon Notification leakage across containers [due to reddit enhancement suite]

Categories

(Firefox :: Security, defect)

80 Branch
defect

Tracking

()

RESOLVED INVALID

People

(Reporter: haaroon.yousaf, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

Open reddit in two different containers, one logged in with a reddit account (container A) and the other without an account (B).

One version of reddit (container A) must have a pending notification, which can either be a message or a comment. Having a notification causes the icon in the address bar to have a small white one in a blue circle next to it.

Refresh the page in the container (A) that has the notification.

The container (B) without the notification will have its icon changed once container A has loaded. Both A and B will have the same icon.

Actual results:

By doing the steps in what did you do, you will see the icons across containers of the same website become the same.

Expected results:

The icons should be different and only correspond to their respective containers. Information should not leak across containers. Further investigation of leakage has not been performed.

Attached image image.png

two reddits, different accounts, same notifcation number

The UX is unfortunate, and a bug, but as long as the web contents in B don't know about the notification (that is, it's only visual in the browser UI) then it's probably not a "security" bug -- just misleading to the user.

Maxx -- are these tab icons handled by the Containers extension or the Firefox front-end itself?

Component: Untriaged → Security
Flags: needinfo?(mcrawford)

The favicons are not handles by Containers. Only the colored bar underneath the tab or the tab name to the far right side of the URL bar. (In this example, the briefcase icon and "Work").

This seems like a front-end issue. I'm curious how Reddit does its internal notification broadcasting in such a way. That's some heavy duty finger-printing.

Flags: needinfo?(mcrawford)

Thanks for confirming, yeah i was a bit worried if the icon changes cause enable any sort of fingerprinting or it was purely on the client side for just UX and nothing else.

Marco, I'm guessing that we don't segment the local favicon DB based on userContextId (ie container), and that's what trips this?

Flags: needinfo?(mak)

(If so, I don't think this is going to be a security issue.)

as in the actual favicon? I dont think the physical favicon changes nor is a new one downloaded. It just overlays a number onto the existing one.

(In reply to :Gijs (he/him) from comment #5)

Marco, I'm guessing that we don't segment the local favicon DB based on userContextId (ie container), and that's what trips this?

we don't, though we also have specific code paths to handle the notifications case. It's possible this is an unhandled edge case or tech evang.

In particular, these notification favicons should usually be served with a Cache-control: no-store header, that would make us not store them in the persistent (Places) cache. Additionally we only store in the persistent cache icons added before onPageShow.
This behavior should exclude most of the cases where a website uses the favicon to notify.

What confuses me more is that comment 0 speaks about the icon in the address bar, not the icon in the tabs, and because reddit is a secure page, Firefox Desktop doesn't show an icon in the address bar.
If we're speaking about the tabs instead, I'm even more confused because the tab only relies on <link> tags in the loaded page and can't depend on a page in another tab.

EDIT: oh wait, there is a sshot. checking.

Flags: needinfo?(mak) → needinfo?(haaroon.yousaf)

(In reply to haaroon.yousaf from comment #7)

as in the actual favicon? I dont think the physical favicon changes nor is a new one downloaded. It just overlays a number onto the existing one.

To the best of my knowledge, there is no API to do such a thing. If a website changes the favicon, it will add a new link element pointing to a different image - try looking for tutorials / stackoverflow posts to see how to do this.

I can't reproduce the bug as filed because I don't see an icon change even though I have unread messages / replies (maybe because they're old; I don't really use reddit), so I can't verify this is what reddit do, but as I'm pretty sure it's the only way to do it...

Flags: needinfo?(haaroon.yousaf)

Ok, based on the screenshot this is not about the urlbar, it's only about the tab. I'm confused because afaik the tab icon only depends on <link> added by the page, there's no smart handling of icons across pages on Firefox side. So both pages should be adding a link to that same badged favicon.

Do you have some add-ons installed like Reddit Enhancement Suite?

Flags: needinfo?(haaroon.yousaf)

apologies I mean icon in the tabs, as shown in the screenshots.

Ahh yes, I have the Reddit enhacement suite and that is the culprit. I disabled it and there is no notification number. Thanks for spotting. This can be closed now since its an addon issue. sorry about this, shouldve known to disable addons before i sent a report.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(haaroon.yousaf)
Resolution: --- → INVALID

Thanks for reporting back.

Group: firefox-core-security
Summary: Icon Notification leakage across containers → Icon Notification leakage across containers [due to reddit enhancement suite]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: