Closed Bug 1717672 (CVE-2025-6425) Opened 4 years ago Closed 4 months ago

Avoid UUID leak via webcompat add-on

Categories

(WebExtensions :: General, task, P3)

Product:
WebExtensions
Component:
General
Type:
task

Tracking

(firefox-esr115140+ verified, firefox-esr128140+ verified, firefox140+ verified, firefox141+ verified)

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr115 140+ verified
firefox-esr128 140+ verified
firefox140 + verified
firefox141 + verified

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Keywords: perf-alert, privacy, sec-moderate, Whiteboard: [addons-jira][fingerprinting][adv-main140+][adv-esr128.12+][adv-esr115.25+])

Attachments

(5 files)

Bug 1717672 - Fix webcompat uuid
48 bytes, text/x-phabricator-request
Details | Review
Bug 1717672 - Fix webcompat uuid
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1717672 - Fix webcompat uuid
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
Bug 1717672 - Fix webcompat uuid
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
316 bytes, text/plain
Details

The webcompat add-on exposes files in web_accessible_resources via the webRequest API. Consequently it's possible for the UUID to leak to web pages.

Bug 1696779 shows when this can be problematic.

This issue can fully be resolved by moving webcompat away from web_accessible_resources (bug 1712096), or partially be addressed by having a non-persistent UUID (bug 1717671).

If bug 1712096 gets resolved, then we can use the new API from that bug. Alternatively, we can reset webcompat's UUID at every startup to prevent it from being persistent to experiment with the feasibility of bug 1717671.

Severity: -- → N/A
Priority: -- → P3

use dynamic could probably be backported to mv2 in some fasion to address the uuid issue.

Depends on: 1713196

I'm all in favor of resetting the UUID every startup because it removes a unique persistent ID that can be used to track users of extensions that leak their UUID into content. But it's not a sufficient fix: it still allows tracking/correlation within a single session when these leak, and if any of the resources are abusable (see bug 1711361) a malicious page can still figure out the current UUID and conduct the attack all within the same session.

Keywords: sec-want
Assignee: nobody → rob
Status: NEW → ASSIGNED
Whiteboard: [addons-jira]
Attachment #9494596 - Flags: approval-mozilla-beta?

The patch above changes the uuid of the webcompat extension. This is not generally safe to do, and in a code comment in the patch, I explained why this is the case, and why it is safe to do so for webcompat:

    // In general, the UUID should not change once assigned because it may be
    // stored elsewhere within the profile directory, when the extension URL is
    // exposed (e.g. history, bookmarks, site permissions, web or extension
    // APIs that associate data with the extension principal or origin).
    // The webcompat add-on does not rely on the persisted uuid, so we can
    // simply migrate the uuid below, see bug 1717672.

The last sentence, "webcompat add-on does not rely on the persisted uuid" is based on my code audit of the webcompat add-on and confirmed by the webcompat team members.

I also scanned profile directories (years old and new ones), and did not find anything unexpected. Specifically, the following three files contain the uuid of the webcompat extension:

  • prefs.js: the uuid is stored in a pref. The patch changes the uuid and pref, after which there is no longer any trace of the old uuid. This is also verified by unit tests.
  • startupCache/webext.sc.lz4 (in Local Directory at about:profiles): This file contains the resolved URLs for a given extension and specific version. When the URL is incorrect, the extension would not run at all (but not break the browser in any other way). Fortunately, this file is removed on Firefox upgrades (even on Nightly, since bug 1632544). Even if a user were to restore this cache file manually, the data is ignored when the webcompat extension version was bumped in the meantime. Normal users will never encounter this scenario, but out of caution I am defensively accounting for the scenario.
    • The uplift for 140 also includes a version bump, in case a Beta user manually messes up their profile. This is not strictly required for release, because users on release are on extension version 139.x, which will be bumped to 140.x (most recently by bug 1950301).
    • The uplifts for ESR128 and ESR115 will include a version bump to minimize the risk of the cache being reused unexpectedly.
  • permissions.sqlite: After interacting (clicking) with about:compat, the "storageAccessAPI" permission is added to this file. This does not change the behavior of the extension in any way, and is merely a side effect of the storage access heuristics implementation that applies to all content. The (unused) permission expires after 45 days (as specified by the privacy.userInteraction.expiration preference).

firefox-beta Uplift Approval Request

  • User impact if declined: Susceptible to tracking, see linked doc.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: (covered by automated tests, but here is a sanity check for manual testing if desired) 1. Start Firefox before this patch, quit it. 2. Update Firefox with this patch, then visit about:compat. Expect it to be populated.
  • Risk associated with taking this patch: Low
  • Explanation of risk level: In short: the effect of the changes are intentional and well understood, without negative side effects. The uuid is persisted to allow extensions to have a stable URL across browser restarts. The webcompat extension itself does not rely on any specific value for the URL, which I verified by auditing its code base, and confirmed this with WebCompat team members. For more details, see https://bugzilla.mozilla.org/show_bug.cgi?id=1717672#c6.
  • String changes made/needed: None
  • Is Android affected?: yes
Attachment #9494628 - Flags: approval-mozilla-esr128?
Attachment #9494658 - Flags: approval-mozilla-esr115?

firefox-esr128 Uplift Approval Request

  • User impact if declined: Susceptible to tracking, see linked doc.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: (covered by automated tests, but here is a sanity check for manual testing if desired) 1. Start Firefox before this patch, quit it. 2. Update Firefox with this patch, then visit about:compat. Expect it to be populated.
  • Risk associated with taking this patch: Low
  • Explanation of risk level: In short: the effect of the changes are intentional and well understood, without negative side effects. The uuid is persisted to allow extensions to have a stable URL across browser restarts. The webcompat extension itself does not rely on any specific value for the URL, which I verified by auditing its code base, and confirmed this with WebCompat team members. For more details, see https://bugzilla.mozilla.org/show_bug.cgi?id=1717672#c6.
  • String changes made/needed: None
  • Is Android affected?: no

firefox-esr115 Uplift Approval Request

  • User impact if declined: Susceptible to tracking, see linked doc.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: (covered by automated tests, but here is a sanity check for manual testing if desired) 1. Start Firefox before this patch, quit it. 2. Update Firefox with this patch, then visit about:compat. Expect it to be populated.
  • Risk associated with taking this patch: Low
  • Explanation of risk level: In short: the effect of the changes are intentional and well understood, without negative side effects. The uuid is persisted to allow extensions to have a stable URL across browser restarts. The webcompat extension itself does not rely on any specific value for the URL, which I verified by auditing its code base, and confirmed this with WebCompat team members. For more details, see https://bugzilla.mozilla.org/show_bug.cgi?id=1717672#c6.
  • String changes made/needed: None
  • Is Android affected?: no

https://hg.mozilla.org/mozilla-central/rev/b941e3032841

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
No longer depends on: 1712096, 1713196
See Also: → 1712096, 1713196
Attachment #9494596 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9494628 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9494658 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
QA Whiteboard: [qa-triage-done-c141/b140][qa-ver-needed-c141/b140]
Flags: qe-verify+
QA Whiteboard: [qa-triage-done-c141/b140][qa-ver-needed-c141/b140] → [uplift][qa-triage-done-c141/b140][qa-ver-needed-c141/b140]
QA Contact: bmaris

Verified based used the instructions from comment 11 that about:compat is filled after an update from a build before the fix to the latest builds for the following: Firefox 140.0 RC, latest Nightly 141.0a1, Firefox 128.12.0esr and Firefox 115.25.0esr - Windows 11, macOS 13, Ubuntu 22.04 and Windows 8.1 64bit.

Status: RESOLVED → VERIFIED
QA Whiteboard: [uplift][qa-triage-done-c141/b140][qa-ver-needed-c141/b140] → [uplift][qa-triage-done-c141/b140][qa-ver-done-c141/b140]
status-firefox140: fixedverified
status-firefox141: fixedverified
status-firefox-esr115: fixedverified
status-firefox-esr128: fixedverified
Flags: qe-verify+
tracking-firefox140: --- → +
tracking-firefox141: --- → +
tracking-firefox-esr115: --- → 140+
tracking-firefox-esr128: --- → 140+
Keywords: sec-wantprivacy, sec-moderate
Whiteboard: [addons-jira] → [addons-jira][fingerprinting]
Whiteboard: [addons-jira][fingerprinting] → [addons-jira][fingerprinting][adv-main140+]
Attached file advisory.txt
Whiteboard: [addons-jira][fingerprinting][adv-main140+] → [addons-jira][fingerprinting][adv-main140+][adv-esr128.12+]
Whiteboard: [addons-jira][fingerprinting][adv-main140+][adv-esr128.12+] → [addons-jira][fingerprinting][adv-main140+][adv-esr128.12+][adv-esr115.25+]
Duplicate of this bug: 1792377
No longer duplicate of this bug: 1792377
Alias: CVE-2025-6425

(In reply to Pulsebot from comment #4)

Pushed by rob@robwu.nl:
https://github.com/mozilla-firefox/firefox/commit/acefe30a8b6f
https://hg.mozilla.org/integration/autoland/rev/b941e3032841
Fix webcompat uuid r=denschub,rpl,webcompat-reviewers

Perfherder has detected a browsertime performance change from push b941e3032841e99cef00af491dc7a7929e9d9cca.

If you have any questions, please reach out to a performance sheriff. Alternatively, you can find help on Slack by joining #perf-help, and on Matrix you can find help by joining #perftest.

Improvements:

Ratio Test Platform Options Absolute values (old vs new)
30% instagram loadtime android-hw-a55-14-0-aarch64-shippable cold webrender 757.10 -> 533.32
18% instagram largestContentfulPaint android-hw-a55-14-0-aarch64-shippable cold webrender 1,496.79 -> 1,234.16
11% instagram PerceptualSpeedIndex android-hw-a55-14-0-aarch64-shippable cold webrender 972.16 -> 862.50
10% instagram ContentfulSpeedIndex android-hw-a55-14-0-aarch64-shippable cold webrender 1,016.34 -> 913.36
10% instagram ContentfulSpeedIndex android-hw-a55-14-0-aarch64-shippable cold webrender 1,016.32 -> 916.67
9% instagram SpeedIndex android-hw-a55-14-0-aarch64-shippable cold webrender 1,194.92 -> 1,089.27

Details of the alert can be found in the alert summary, including links to graphs and comparisons for each of the affected tests.

If you need the profiling jobs you can trigger them yourself from treeherder job view or ask a performance sheriff to do that for you.

You can run all of these tests on try with ./mach try perf --alert 45744

The following documentation link provides more information about this command.

Keywords: perf-alert
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: