Closed Bug 1733630 Opened 3 years ago Closed 3 years ago

Personal data in crash reports

Categories

(Toolkit :: Crash Reporting, defect)

Product:
Toolkit
Component:
Crash Reporting
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1733573

People

(Reporter: tjr, Unassigned)

Details

We got the following email in on the security@ list:

while migrating data to a new Firefox profile, I noticed the .dmp files
under ~/.mozilla/firefox/Crash Reports/pending. Running strings on
them revealed that one of the files contained authentication cookies (if
I had to guess based on surrounding data, I'd say probably as part of
the HTTP request headers stored with a cache entry).

This is extremely concerning, as the user-facing UI does not warn the
user that such sensitive data could be uploaded as part of the crash
reports. The crash report dialog lets the user select whether to
"Include the address of the page I was on", which I naively interpreted
as "the URL is the most sensitive data that could be contained in the
crash report, and only if I choose to do so".

Looking at the "Details", the dialog shows only non-sensitive data, and
a vague statement that "This report also contains technical information
about the state of the application when it crashed."

Developer facing documentation confirms that these reports do contain
sensitive data like memory dumps:
https://crash-stats.mozilla.org/documentation/protected_data_access/

The privacy policy would vaguely inform users about this
(https://www.mozilla.org/en-US/privacy/firefox/#crash-reporter) but it
is not linked from the crash reporter dialog (and even if it was linked,
something like this should be readily apparent, not hidden in a policy).

I understand that you may need the crash dumps to investigate certain
more complicated crashes, but there should be a clear warning that such
data can in some cases include authentication credentials, and make the
dumps optional. The current dialog misleads users into thinking that
there is no sensitive data included in bug reports, while potentially
uploading the most sensitive kind of data that Firefox has access to.

(Ironically, the crashes I've been experiencing for years when closing
Firefox seem to be linked to the "delete site data on exit" setting, and
seem to have prevented Firefox from deleting web sites' session storage
on close despite it being configured to do so.)

We've got multiple crash reporter clients across our products and I think they've got different text. When I removed the Email field earlier this year, I was talking with Nneka and Emily about this and I think the intention was to go through all the crash reporter clients and check the text the user is seeing and agreeing to when sending crash reports. Then based on that audit, we'd go through and make the changes required.

I think work on this bug should involve input from Trust and Privacy.

Tom: Just to clarify, everything in the bug description below the line was from the email? The first word isn't capitalized, but others are, so it seemed weird.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Correct; the only things I left out were a "Hi" and a request about what email address to use.

Group: core-security → firefox-core-security
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.