Closed Bug 1666655 Opened 4 years ago Closed 4 years ago

URLs for most sites that are visited are logged to logcat

Categories

(Focus :: General, defect, P1)

Product:
Focus
Component:
General
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kbrosnan, Assigned: droeh)

Details

(Keywords: privacy, sec-moderate, Whiteboard: [geckoview:m83])

Attachments

(1 file)

Screenshot_31.png
96.58 KB, image/png
Details

Looks like a lot of debug level warnings as well as cookie same site console logging are enabled for Focus. While logcat data is expired by the OS as the file hits a size or line count limit this is still something that a privacy browser should not be logging.

09-22 17:14:56.952 30763-30796/? D/GeckoViewProgress[C]: ProgressTracker changeLocation https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin
09-22 17:14:56.952 30701-30701/? D/GeckoSession: handleMessage GeckoView:LocationChange uri=https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin
09-22 17:14:56.952 30701-30701/? I/LoadTimeObserver: zerdatime 4062432 - url changed to https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin, new page load start
09-22 17:14:56.952 30701-30737/? D/GeckoViewProgress: onLocationChange: location=https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin, flags=0x1
09-22 17:14:57.682 30763-30796/? W/Web Content: [JavaScript Warning: "Cookie “CheckConnectionTempCookie113” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite" {file: "https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1381550097&timestamp=1600820096602" line: 94}]
Group: mobile-core-security

Is this happening on a debug or release build? The GV stuff, at least, should not be getting printed to logcat on a release build, and my understanding was that printing that sort of info for debug builds was fine.

Flags: needinfo?(kbrosnan)

Yes this is a release build 8.8.0 using Gecko 81. Filtering my Android Studio logcat by http shows several GeckoViewProgress, GeckoSession and Web Content warnings. Using a Pixel 3 running Android 10 and the Samsung Galaxy S5 running Android 6.

Flags: needinfo?(kbrosnan)
Assignee: nobody → droeh
Priority: -- → P1
Whiteboard: [geckoview:m83]

This is more of a privacy issue than a security one, but since it's the point of Focus (or privacy mode in general) we shouldn't be writing this kind of thing to disk. Other apps shouldn't be able to read it, but it's certainly available for forensic attacks.

Severity: -- → S2
Keywords: privacy, sec-moderate

Put up a patch for this on Github: https://github.com/mozilla-mobile/focus-android/pull/4631 -- I'll close this bug when it lands.

The PR is merged and is part of the 8.8.3 release that will go out.

Attached image Screenshot_31.png

Tested on Focus 8.8.3 with Pixel 3 (Android 11) and after filtering Android Studio logcat by HTTP the following are displayed: GeckoViewProgress, along with others.

Flags: needinfo?(jonalmeida942)

(In reply to Sorina Florean [:sflorean] from comment #6)

Created attachment 9181805 [details]
Screenshot_31.png

Tested on Focus 8.8.3 with Pixel 3 (Android 11) and after filtering Android Studio logcat by HTTP the following are displayed: GeckoViewProgress, along with others.

Thanks for catching this, I'm not sure why these didn't show up when I tested. It looks like the new proguard changes aren't working for some reason, I'll investigate further.

We have a new GV version in the latest Focus release. This can be re-tested again. Apologises for the long delay.

Flags: needinfo?(jonalmeida942)

Hi all,
Tested on 8.11.0 - GV 84 with Pixel 3 (Android 11) and couldn't reproduce the issue, following the steps posted above.

This looks good.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Group: core-security-release
Component: Security: Android → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: