Closed Bug 1780842 (CVE-2023-29546) Opened 3 years ago Closed 2 years ago

screen recording disabled in incognito mode, still leaking sensitive information in the address bar.

Categories

(Fenix :: Toolbar, defect, P3)

Product:
Fenix
Component:
Toolbar
Platform:
All
Android
Type:
defect

Tracking

(firefox110 wontfix, firefox111 wontfix, firefox112 verified)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- verified

People

(Reporter: hackerone3117, Assigned: aputanu)

References

Details

(Keywords: privacy, reporter-external, sec-low, Whiteboard: [adv-main112+][reporter-external] [web-bounty-form])

Attachments

(4 files, 1 obsolete file)

address bar still leaking sensitive information
1.06 MB, video/mp4
Details
[mozilla-mobile/firefox-android] Add FLAG_SECURE to SearchDialogFragment #902
58 bytes, text/x-github-pull-request
Details | Review
Screen recording in PB.mp4
7.85 MB, video/mp4
Details
advisory.txt
329 bytes, text/plain
Details

hi Firefox.
I noticed that Firefox for android has a feature to disable screen capture/screenshot on incognito tabs, but the feature still leaks information in the address bar while recording the screen.

production step:

  1. Install Firefox for Android with the latest version
  2. then disable the screen recording feature/screenshot for incognito tabs
  3. And testing, screen recording, see the address bar is still visible, allowing the victim's sensitive parameters to be exposed in the wild.

impact :
The attacker can see sensitive information in the victim's address bar, in the form of access tokens, emails, passwords, even secret parameters, etc..

Flags: sec-bounty?
Group: websites-security → mobile-core-security
Component: Other → Security: Android
Product: Websites → Fenix

Any update?

I'm not sure this feature was meant to hide your keyboard -- that's not part of the page. The autocomplete stuff likewise could be from your bookmarks or history saved in non-incognito mode and might not be considered part of this protection.

Kevin: do you know what the design/intent for this restriction was?

Flags: needinfo?(kbrosnan)

thanks for your reply.
I believe this is a problem because I don't see other browsers like chrome, edge, Opera etc, leaking the address bar while recording screen in incognito mode.

I'm not sure this feature was meant to hide your keyboard.

I didn't type the keyboard but the address bar which was still exposed in the wild when the recording happened.

Attachment #9288731 - Attachment is obsolete: true

We're waiting for an answer from the Product folks about the intent of this design. The tiny amount of the URL that shows would reveal the site, but not any content details. Wouldn't it be easier to blank the whole screen than to exempt the toolbar part? That's what makes me wonder if this approach is intentional.

Folks have been on vacation. Kevin says they were going to cover this bug in their team meeting tomorrow

thanks for your reply.
I'm also not sure this is really a Low category as it violates your browser policy which says not to show sensitive data in incognito mode.
It's only vulnerable on Firefox, in other browsers chrome, edge, Opera etc, showing black screen including address bar.

Regards

I can confirm the behavior in nightly and going back to v84 has essentially the same behavior. I believe we should mark all the elements that are part of private browsing as FLAG_SECURE. However I agree with Dan's assessment of the severity.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(kbrosnan)
Severity: -- → S4
Type: task → defect
Priority: -- → P3

Bug for the Android Experience team

OS: All → Android
Component: Security: Android → Toolbar
Assignee: nobody → aputanu
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: --- → fixed
Flags: qe-verify+
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED

Hi Irwan,
thank you for reporting this bug!
Unfortunately, we have made the decision to not award a bounty for your submission. We generally do not pay for bugs with a severity of "low". Furthermore, we consider this a privacy issue more than a security issue. The address bar content is indeed unintentionally leaked, but that requires someone to be actually able to record the screen without approval. We also note that most secret URL parameters are at the end of the address and likely not easily seen.
We're looking forward to your next submission and want to point out that there are various tips for finding and testing higher severity issues in our guidelines at https://www.mozilla.org/en-US/security/client-bug-bounty/.

Flags: sec-bounty? → sec-bounty-
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Group: mobile-core-security → core-security-release
status-firefox110: --- → wontfix
status-firefox111: --- → affected

Verified as fixed on Nightly 112.0a1 from 02/21 with Google Pixel 7 PRO (Android 13) and Motorola Moto G9 plus (Android 11). The address bar is not displayed during screen recording in private mode.

Flags: qe-verify+
Status: VERIFIED → RESOLVED
Closed: 2 years ago2 years ago
Flags: qe-verify+
Flags: qe-verify+
Whiteboard: [reporter-external] [web-bounty-form] → [adv-main112+][reporter-external] [web-bounty-form]
Alias: CVE-2023-29546
Group: core-security-release
Flags: sec-bounty-hof+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: