Open Bug 1699458 Opened 4 years ago Updated 7 months ago

tabs.get() API allows distinguishing private and non-existent tabs

Categories

(WebExtensions :: Android, defect)

All
Android
defect

Tracking

(Not tracked)

People

(Reporter: jwkbugzilla, Unassigned)

References

Details

(Keywords: csectype-disclosure, sec-other)

When an extension doesn’t have access to private browsing, it isn’t supposed to know about any private tabs opened. However, Fenix tab numbers are assigned consecutively, always with step 4 between tab identifiers. So if an extension observes tab 10059 and tab 10067 being created, it can guess that tab 10063 is a private tab that wasn’t reported to it. The API will help it confirm this suspicion: browser.tabs.get(10063).catch(e => console.log(e)) will result in “Error: An unexpected error occurred” being logged, whereas browser.tabs.get(10064).catch(e => console.log(e)) will result in “Error: Invalid tab ID: 10064”.

The different error messages are due to ext-tabs.js erroring out for private browsing tabs (“can't access property "convert", tabManager.get(...) is undefined”).

CC Agi as this would have to be addressed in GV and/or the extension framework.

Component: Security: Android → Extensions
OS: Unspecified → Android
Product: Fenix → GeckoView
Hardware: Unspecified → All
Version: unspecified → Trunk
Group: mobile-core-security → firefox-core-security
Component: Extensions → Android
Product: GeckoView → WebExtensions

Thanks for the report Wladimir.

(In reply to Wladimir Palant from comment #0)

So if an extension observes tab 10059 and tab 10067 being created, it can guess that tab 10063 is a private tab that wasn’t reported to it.

This is known, and not something we have chosen to guard against in other cases.

The API will help it confirm this suspicion: browser.tabs.get(10063).catch(e => console.log(e)) will result in “Error: An unexpected error occurred” being logged, whereas browser.tabs.get(10064).catch(e => console.log(e)) will result in “Error: Invalid tab ID: 10064”.

Right, every function that returns info about tabs goes through getWrapper() [1] which ensures we don't actually expose it without permissions, but that returning null ends up throws the generic "unexpected" error later.

  1. https://searchfox.org/mozilla-central/rev/36f79bed67/toolkit/components/extensions/parent/ext-tabs-base.js#1989

This probably doesn't need to be a sec bug, though we should fix it on android at [2] to throw the custom error as desktop does at [3].
2) https://searchfox.org/mozilla-central/rev/36f79bed67/mobile/android/components/extensions/ext-android.js#543
3) https://searchfox.org/mozilla-central/rev/36f79bed67/browser/components/extensions/parent/ext-browser.js#1191

Severity: -- → S3
Group: firefox-core-security
Group: firefox-core-security
Keywords: sec-other

This is a bug, but not necessarily a security bug. It cannot be used to access information of private browsing content.

We have a similar issue elsewhere, e.g. bug 1540565.

Group: firefox-core-security
See Also: → 1540565
You need to log in before you can comment on or make changes to this bug.