URLs for most sites that are visited are logged to logcat
Categories
(Focus :: General, defect, P1)
Tracking
(Not tracked)
People
(Reporter: kbrosnan, Assigned: droeh)
Details
(Keywords: privacy, sec-moderate, Whiteboard: [geckoview:m83])
Attachments
(1 file)
96.58 KB,
image/png
|
Details |
Looks like a lot of debug level warnings as well as cookie same site console logging are enabled for Focus. While logcat data is expired by the OS as the file hits a size or line count limit this is still something that a privacy browser should not be logging.
09-22 17:14:56.952 30763-30796/? D/GeckoViewProgress[C]: ProgressTracker changeLocation https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin
09-22 17:14:56.952 30701-30701/? D/GeckoSession: handleMessage GeckoView:LocationChange uri=https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin
09-22 17:14:56.952 30701-30701/? I/LoadTimeObserver: zerdatime 4062432 - url changed to https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin, new page load start
09-22 17:14:56.952 30701-30737/? D/GeckoViewProgress: onLocationChange: location=https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fwww.google.com%2Fmaps%2F%4045.5245999%2C-122.6535992%2C12z%3Fnogmmr%3D1%26hl%3Den&hl=en&service=local&flowName=GlifWebSignIn&flowEntry=ServiceLogin, flags=0x1
09-22 17:14:57.682 30763-30796/? W/Web Content: [JavaScript Warning: "Cookie “CheckConnectionTempCookie113” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite" {file: "https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1381550097×tamp=1600820096602" line: 94}]
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Is this happening on a debug or release build? The GV stuff, at least, should not be getting printed to logcat on a release build, and my understanding was that printing that sort of info for debug builds was fine.
Reporter | ||
Comment 2•4 years ago
|
||
Yes this is a release build 8.8.0 using Gecko 81. Filtering my Android Studio logcat by http shows several GeckoViewProgress, GeckoSession and Web Content warnings. Using a Pixel 3 running Android 10 and the Samsung Galaxy S5 running Android 6.
Updated•4 years ago
|
Comment 3•4 years ago
|
||
This is more of a privacy issue than a security one, but since it's the point of Focus (or privacy mode in general) we shouldn't be writing this kind of thing to disk. Other apps shouldn't be able to read it, but it's certainly available for forensic attacks.
Assignee | ||
Comment 4•4 years ago
|
||
Put up a patch for this on Github: https://github.com/mozilla-mobile/focus-android/pull/4631 -- I'll close this bug when it lands.
Comment 6•4 years ago
|
||
Tested on Focus 8.8.3 with Pixel 3 (Android 11) and after filtering Android Studio logcat by HTTP the following are displayed: GeckoViewProgress, along with others.
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
(In reply to Sorina Florean [:sflorean] from comment #6)
Created attachment 9181805 [details]
Screenshot_31.pngTested on Focus 8.8.3 with Pixel 3 (Android 11) and after filtering Android Studio logcat by HTTP the following are displayed: GeckoViewProgress, along with others.
Thanks for catching this, I'm not sure why these didn't show up when I tested. It looks like the new proguard changes aren't working for some reason, I'll investigate further.
Comment 8•4 years ago
|
||
We have a new GV version in the latest Focus release. This can be re-tested again. Apologises for the long delay.
Comment 9•4 years ago
|
||
Hi all,
Tested on 8.11.0 - GV 84 with Pixel 3 (Android 11) and couldn't reproduce the issue, following the steps posted above.
Reporter | ||
Comment 10•4 years ago
|
||
This looks good.
Updated•4 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•