Closed Bug 1672394 Opened 1 month ago Closed 27 days ago

Purging logs user out of some sites (e.g. Twitter / Google) every day when clearing history on shutdown is enabled (summary in comment 20)

Categories

(Core :: Privacy: Anti-Tracking, defect, P1)

Firefox 82
defect

Tracking

()

VERIFIED FIXED
84 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- disabled
firefox83 --- verified
firefox84 --- verified

People

(Reporter: andre, Assigned: johannh)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

Logged into Google, Twitter and several other accounts.

Actual results:

Next day, after aproximately 24h hours I am logged out of these services again, but not all.

Expected results:

Should have been logged in still because Privacy Settings are set to keep active logins and cookies are not deleted on shutdown of Firefox.

There are many similar reports on reddit confirmed to be caused by privacy.purge_trackers.enabled.

Status: UNCONFIRMED → NEW
Component: Untriaged → Privacy: Anti-Tracking
Ever confirmed: true
Keywords: regression
Product: Firefox → Core

Looking at the Reddit thread there seems to be some correlation with purging, I'll try to find out what's causing it...

Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: -- → P1

I can't reproduce :|

If anyone has hit this issue (i.e. getting logged out of sites like Twitter and Google daily), it would be awesome if you could do the following things:

  1. in about:config, ensure that the following prefs are set like this:

privacy.purge_trackers.enabled -> true
privacy.purge_trackers.logging.level -> All (capitalization is important here)

  1. do the things you normally do to log into the sites you get logged out of

  2. Open the Browser Toolbox (which is not the regular devtools, see link) and in the "Console" tab, enter the following code

await Components.classes["@mozilla.org/purge-tracker-service;1"].getService(Components.interfaces.nsIPurgeTrackerService).purgeTrackingCookieJars() 

Note: As a security engineer I feel obliged to tell you to not normally do this, don't enter code from random internet people there.

  1. Look at the output that gets logged now. It will include a lot of personal information, mostly sites you've visited before, but no secret data such as logins. If you feel comfortable sharing all this information with me, please do. If not, please look for the lines mentioning the sites that you are getting logged out of, e.g. https://twitter.com and share those.

  2. Finally check if you were logged out of Twitter etc. again and let me know.

Feel free to either comment on this bug or send your data directly to jhofmann@mozilla.com

Thank you!

Hi Andre, can you follow the steps in comment 3 by any chance?

Thanks!

Flags: needinfo?(andre)

All I get after entering the code in the Console tab is: https://i.imgur.com/iaIIjvK.png

Flags: needinfo?(andre)

Are you opening the browser toolbox or the regular developer toolbox? Note that the browser toolbox is similar to devtools but needs to be opened separately, see https://developer.mozilla.org/en-US/docs/Tools/Browser_Toolbox

It should open in a new window and you should see a warning.

Flags: needinfo?(andre)

Switched to browser toolbox now and filtered the output for twitter, as I am indeed being logged out of it again after using the console command.

await Components.classes["@mozilla.org/purge-tracker-service;1"].getService(Components.interfaces.nsIPurgeTrackerService).purgeTrackingCookieJars()
undefined
*** PurgeTrackerService:: Maybe purging http://twitter.com. PurgeTrackerService.jsm:138:12
*** PurgeTrackerService:: Deleting data from: http://twitter.com PurgeTrackerService.jsm:199:12
*** PurgeTrackerService:: Data deleted from: http://twitter.com PurgeTrackerService.jsm:218:12
*** PurgeTrackerService:: Maybe purging https://twitter.com. PurgeTrackerService.jsm:138:12
*** PurgeTrackerService:: Deleting data from: https://twitter.com PurgeTrackerService.jsm:199:12
*** PurgeTrackerService:: Data deleted from: https://twitter.com PurgeTrackerService.jsm:218:12

I was not logged out of google this time though. But I have noticed this behaviour earlier where I was looged out of services at different times over the day.

Flags: needinfo?(andre)

Google is not purging as it "has user interaction". After closing the browser and opening it again I was also logged out of google.

I think it would be ideal for me to get access to your profile. That contains a lot of personal data, so I completely understand if you're not willing to share it. It's obviously fine (and recommended) for you to clear all history, logins, etc. before sending it to me.

If you do want to share it, you can find your Profile Folder on about:support. You can send the zipped folder to jhofmann@mozilla.com

Otherwise I'd also appreciate to get the condensed about:support information from you :)

Thanks!

Flags: needinfo?(andre)

Profile provided via Google Drive link.

Flags: needinfo?(andre)

Ok, thank you very much, trying it out in your profile I was able to figure out the cause. It's pretty simple and a bit of an oversight on our part.

As you mentioned in comment 0, you have "Clear history when Firefox closes" activated. Firefox uses information linked to history for determining if you recently interacted with websites, which will then be cleared as well. You don't clear cookies at the same time (probably a conscious decision, but I'm a bit curious what threat model this is serving). So Purging will see that there are cookies set for twitter.com, but no history/interaction information. It will thus assume that twitter.com was not visited as a first-party and get rid of the cookies.

Technically the interaction data shouldn't even be linked to history (rather to "site preferences"), but bug 1524883 made it so that they're cleared together for privacy concerns.

Can you confirm that it always takes a restart for you to get logged out of Twitter, i.e. that calling the code snippet without restarting will not log you out?

Flags: needinfo?(andre)

There's another scenario where this could be problematic:

  • A user visits twitter.com and logs in, then goes on to browse other websites, e.g. "gifts for their spouse".
  • They notice that this was done in regular browsing and want to get rid of the last hour of browsing history to hide their tracks.
  • To avoid getting logged out of other sites they only clear history, not cookies
  • Since twitter was visited in the last hour interaction permissions for twitter are cleared
  • User is inadvertently logged out of Twitter (and all other tracking sites they were active on during the time)

I can confirm that calling the code snippet logs me out of Twitter (and Netflix, Amazon) without restarting Firefox. Google stays logged in somehow (having user interaction) and needs a restart of FF.

Flags: needinfo?(andre)

I want to stay logged in to sites I logged into but don't want to have visited sites highlighted in the next session. That is why I am clearing history on exit but keeping the cookies and active logins.

Okay, that's weird, I can't reproduce that on your profile. Just to confirm, are you maybe not actually interacting with Twitter, i.e. are you simply logging in with 1Password and then not clicking/scrolling on twitter? That could be a likely cause.

Actually, this might be the case. For testing scenario I did log in, after clearing the cache and everything else and then executed the snippet. I might go through all steps in comment #3 again under live conditions, but I'd hate having to log in to everything again. After several days with this bug (starting somewhere in an earlier version) it starts to get on my nerve ;)

I think it would be sufficient to just do:

  • Log in to Twitter
  • Click around a few times (inside the Twitter UI)
  • Then run the snippet
  • Reload Twitter -> Should not be logged out

Thanks!

Okay, did that. I was not logged out of twitter this time.
But as I am opening and closing the browser multiple times each day, wouldn't this mean that I was going to get logged of at a later time under my settings, because I am not always visiting Twitter or the other services each time I am using the browser?

Is this a bug, or just a problem with my settings (not using the browser the way it is meant to)?

It's a bug that we can fix :)

Here's the idea: Instead of strictly clearing interaction permissions together with history, for each permission we confirm that there are no cookies or site data in store for that origin, and only then clear it. That would still be fine privacy-wise since the user had cookies/site data around anyway, so keeping the permission doesn't reveal more. And it should fix this issue.

It's definitely a lot more complex to implement and expensive to run, so we keep on making bug 1524200 worse, but it's probably worth it.

Marking 82 as WONTFIX, still an edge case and not worth dot-releasing over.

Severity: -- → S3
Summary: Getting logged out of some sites (e.g. Twitter / Google) after one day. Security and Pricacy Settings are set correctly → Getting logged out of some sites (e.g. Twitter / Google) after one day. Security and Privacy Settings are set correctly
Summary: Getting logged out of some sites (e.g. Twitter / Google) after one day. Security and Privacy Settings are set correctly → Purging logs user out of some sites (e.g. Twitter / Google) every day when clearing history on shutdown is enabled

Since I've consistently seen reports of this from individual users here's a quick FAQ:

What is the issue

You're getting logged out of sites that are known trackers because of a bug in our new redirect tracking protection. It is looking at your (locally stored) interaction history with sites to figure out if they are legitimate or merely trying to track you. You have "Clear History on Shutdown" turned on and thus interaction history is also cleared. This means our protection sees a lot of trackers that you "never" interacted with and tries to protect you by clearing all their cookies. 🙃

I'm an affected user, what can I do to fix it right now

Sorry for the inconvenience!

You can either disable the protection by flipping the following pref to false:

privacy.purge_trackers.enabled

or you uncheck the checkbox for "Clear History when Nightly closes" in Preferences -> Privacy & Security -> History

If you do not have "Clear History on Shutdown" enabled but are still getting logged out please file a new bug.

What are we doing to fix it?

The patch to fix this is sufficiently complicated that we will not be uplifting it, however, I hope to get it done in time for the 84 release. In the meantime, we have decided to fix this by reversing the rollout through Normandy for all affected users, which is scheduled to land some time next week.

Marking 82 back to affected and we'll mark it as disabled/fixed when the hotfix lands.

Summary: Purging logs user out of some sites (e.g. Twitter / Google) every day when clearing history on shutdown is enabled → Purging logs user out of some sites (e.g. Twitter / Google) every day when clearing history on shutdown is enabled (summary in comment 20)
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/79a1216484bb
Avoid purging when interaction permissions are cleared on shutdown. r=englehardt
Flags: qe-verify+
Status: ASSIGNED → RESOLVED
Closed: 27 days ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Flags: in-testsuite+

Johann, I see you set this bug to P1, does it mean that you intend to uplift it to 83? Thanks

Flags: needinfo?(jhofmann)

Comment on attachment 9184779 [details]
Bug 1672394 - Avoid purging when interaction permissions are cleared on shutdown. r=englehardt

Beta/Release Uplift Approval Request

  • User impact if declined: Users who clear history on shutdown are logged out of a lot of websites daily.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. Sign into Google or Twitter
  1. In about:preferences, enable "Clear history when Firefox closes", but only select "Browsing & Download data" in the "Settings" sub-menu
  2. Restart your browser
  3. After restart, you should still be logged into Google & Twitter
  4. Open the browser console and run
await Components.classes["@mozilla.org/purge-tracker-service;1"].getService(Components.interfaces.nsIPurgeTrackerService).purgeTrackingCookieJars()
  1. Without the bugfix, you are now logged out of Google & Twitter
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This adds a simple if-condition for skipping purging when certain prefs are not set.
  • String changes made/needed: None
Flags: needinfo?(jhofmann)
Attachment #9184779 - Flags: approval-mozilla-beta?

Thanks for the reminder :)

See Also: → 1675018

Verified as fixed using the latest Nightly 84.0a1 (Build ID: 20201103095421) on Mac OS X 10.15, Ubuntu 20.04, and Windows 10 x64 - logins are kept when following the steps from Comment 26.

Comment on attachment 9184779 [details]
Bug 1672394 - Avoid purging when interaction permissions are cleared on shutdown. r=englehardt

Regression, P1, verified by QA on nightly, has tests and is alow risk patch. Uplift approved for 83beta 8, thanks.

Attachment #9184779 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Fixed by remote pref flip for 82.

Verified as fixed on the latest Firefox 83 beta 8 - on Windows 10 x64. Ubuntu 20.04 and Mac OS X 10.15. This issue was verified by following the steps from Comment 26, after setting the preference "privacy.purge_trackers.enabled" to "true".

Johann is it intended for the cookie purging to be off on Beta 83?

Flags: needinfo?(jhofmann)

Sorry for the delay. The pref will be turned on for late Beta 83 and Release in bug 1675596. Thanks for calling that out.

Flags: needinfo?(jhofmann)

(In reply to Johann Hofmann [:johannh] from comment #33)

Sorry for the delay. The pref will be turned on for late Beta 83 and Release in bug 1675596. Thanks for calling that out.

Thanks, Johann, based on this, and on comment 32, setting the tracking flag for firefox 83 to verified.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+

I think disabled is more accurate since the code fix didn't land in 82.

You need to log in before you can comment on or make changes to this bug.