Closed Bug 1705068 (CVE-2021-29963) Opened 2 years ago Closed 1 year ago

Private Browsing not respected for search suggestions

Categories

(Fenix :: Security: Android, defect)

defect

Tracking

(firefox88 wontfix, firefox89 verified, firefox90 fixed)

VERIFIED FIXED
Tracking Status
firefox88 --- wontfix
firefox89 --- verified
firefox90 --- fixed

People

(Reporter: ecfbugzilla, Assigned: sebastian)

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [adv-main89+])

Attachments

(1 file)

The problematic code can be seen here:

https://github.com/mozilla-mobile/android-components/blob/78979a815d9ba671e6cc8009ef50b80a26ab7896/components/feature/awesomebar/src/main/java/mozilla/components/feature/awesomebar/provider/SearchSuggestionProvider.kt#L247-L251

The request retrieving search suggestions does not respect Private Browsing mode. While Fenix doesn’t have search suggestions enabled by default in Private Browsing and warns about the impact (everything typed into address bar sent to search provider), this is still unnecessary. Once a search is accepted, this allows search providers (by default Google) to match the regular search session to the private one.

The issue can be confirmed by debugging the network traffic of the main process: search suggestions always send the cookies from the regular session, regardless of whether the user is currently in a private tab.

I'll take a stab at this.

Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release

Is this something we should consider backporting to AC75/Fenix89?

Flags: needinfo?(s.kaspari)

AC 75.0.16 is getting built.

Fenix PR with AC version bump and patch uplift:
https://github.com/mozilla-mobile/fenix/pull/19537

Verified as fixed on Fenix 89.0.0-beta8 and 9 with Google Pixel 4 XL (Android 11).
Note that the Allow search suggestions in PB prompt was displayed when first time typing in the URL bar.

Status: RESOLVED → VERIFIED
Whiteboard: [adv-main89+]
Attached file advisory.txt
Alias: CVE-2021-29963
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.