When sync removes a bookmark with a keyword based on data from another device, the keyword is not removed
Categories
(Firefox :: Sync, defect)
Tracking
()
People
(Reporter: vaclav.trpisovsky, Assigned: skhamis)
References
Details
(Whiteboard: [fxsync-])
Attachments
(1 file)
Please note that while reproducing this bug involves Firefox on mobile and Cloud Services (FF Sync), the product exhibiting (and likely causing) unexpected behavior is Firefox on desktop. I did not test other platforms, you can edit the platorm to "all" if you reproduce the bug elsewhere. Also, while the bug is very minor (most users will not experience it by accident), it could be exploited by adware and browser hijackers, see below.
Steps to reproduce:
- Start with a Firefox desktop and mobile installations, connected via Firefox Sync.
- On desktop, create a bookmark, open its Properties window and assign an unused keyword to it.
- Synchronize both devices together.
- Delete the bookmark on mobile.
- Synchronize again.
- View the bookmark list on desktop and notice that the bookmark is gone. This is expected behavior.
- Use the keyword in the address bar to access the bookmark: it still works. This is unexpected behavior.
- To remove this annoyance, open another bookmark's properties, assign the keyword to it, save changes, remove the keyword and save changes again.
Expected behavior:
After the bookmark is deleted from another device, it will no longer be accessible via the keyword in the Awesome bar.
Suspected cause:
I have never seen a line of Firefox code in my life but I assume that the bug is caused by some "keyword cache" not getting updated on certain actions.
Security concern:
Annoying malware, such as adware, could hijack some common keywords at the start of search queries (such as "the" or "how") invisibly (without a bookmark or Search settings entry) and redirect the user to their own page (which could resemble Google's and initiate a phishing attack). This is why I have hidden this post for security reasons, I encourage more experienced Bugzilla users to challenge or overturn this decision, as well as assign the correct priority/severity.
Final comment:
PLEASE do not "solve" this bug by removing the keyword feature and the %s parameter, as they are a needlessly hidden, amazingly useful tool for creating custom "search engines" and similar "responsive bookmarks".
|
||
Comment 1•3 years ago
|
||
(In reply to Václav Trpišovský from comment #0)
Thanks for the report.
Security concern:
Annoying malware, such as adware, could hijack some common keywords at the start of search queries (such as "the" or "how") invisibly (without a bookmark or Search settings entry) and redirect the user to their own page (which could resemble Google's and initiate a phishing attack).
If the attack vector is malware or adware that messes with your profile (ie that is already present on the machine and has write access to the profile directory), there are much worse things they could do (e.g. install an add-on that always returns custom content for their domain, exfiltrate password data, whatever), so I don't think this is a vector for this bug that we should worry about.
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
The issue is still reproducbile with current Firefox Release 105.0.3, latest RC 106.0 and Nightly 107.0a1. I've tested with Win 7 x64.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
||
Updated•1 year ago
|
Pushed by skhamis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/98e43cc1fc90 When sync removes a bookmark with a keyword, should also remove the keyword if necessary r=mak,lina
|
||
Comment 5•1 year ago
|
||
| bugherder | ||
|
||
Updated•1 year ago
|
Description
•