tabs.get() API allows distinguishing private and non-existent tabs
Categories
(WebExtensions :: Android, defect)
Tracking
(Not tracked)
People
(Reporter: jwkbugzilla, Unassigned)
References
Details
(Keywords: csectype-disclosure, sec-other)
When an extension doesn’t have access to private browsing, it isn’t supposed to know about any private tabs opened. However, Fenix tab numbers are assigned consecutively, always with step 4 between tab identifiers. So if an extension observes tab 10059 and tab 10067 being created, it can guess that tab 10063 is a private tab that wasn’t reported to it. The API will help it confirm this suspicion: browser.tabs.get(10063).catch(e => console.log(e))
will result in “Error: An unexpected error occurred” being logged, whereas browser.tabs.get(10064).catch(e => console.log(e))
will result in “Error: Invalid tab ID: 10064”.
The different error messages are due to ext-tabs.js
erroring out for private browsing tabs (“can't access property "convert", tabManager.get(...) is undefined”).
Comment 1•4 years ago
|
||
CC Agi as this would have to be addressed in GV and/or the extension framework.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Thanks for the report Wladimir.
(In reply to Wladimir Palant from comment #0)
So if an extension observes tab 10059 and tab 10067 being created, it can guess that tab 10063 is a private tab that wasn’t reported to it.
This is known, and not something we have chosen to guard against in other cases.
The API will help it confirm this suspicion:
browser.tabs.get(10063).catch(e => console.log(e))
will result in “Error: An unexpected error occurred” being logged, whereasbrowser.tabs.get(10064).catch(e => console.log(e))
will result in “Error: Invalid tab ID: 10064”.
Right, every function that returns info about tabs goes through getWrapper()
[1] which ensures we don't actually expose it without permissions, but that returning null
ends up throws the generic "unexpected" error later.
This probably doesn't need to be a sec bug, though we should fix it on android at [2] to throw the custom error as desktop does at [3].
2) https://searchfox.org/mozilla-central/rev/36f79bed67/mobile/android/components/extensions/ext-android.js#543
3) https://searchfox.org/mozilla-central/rev/36f79bed67/browser/components/extensions/parent/ext-browser.js#1191
Updated•4 years ago
|
Updated•4 years ago
|
Comment 3•2 years ago
|
||
This is a bug, but not necessarily a security bug. It cannot be used to access information of private browsing content.
We have a similar issue elsewhere, e.g. bug 1540565.
Updated•7 months ago
|
Description
•