Closed Bug 1787034 (CVE-2023-23600) Opened 2 years ago Closed 2 years ago

The notification permission granted in normal browsing mode also applies to private browsing

Categories

(Fenix :: General, task, P2)

Product:
Fenix
Component:
General
Platform:
All
Android
Type:
task

Tracking

(firefox105 wontfix, firefox106 wontfix, firefox107 wontfix, firefox108 wontfix, firefox109 verified)

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- verified

People

(Reporter: csadilek, Assigned: amejia)

References

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [geckoview:m107] [geckoview:m108][adv-main109+])

Attachments

(2 files)

NotificationNightly.mp4
3.76 MB, video/mp4
Details
advisory.txt
452 bytes, text/plain
Details

Originated from bug report https://bugzilla.mozilla.org/show_bug.cgi?id=1784741

In Firefox on Android, the user's allow/deny selection in Normal Browsing Mode is carried over to Private Browsing Mode in Notification Permission. This vulnerability risks allowing the display of notifications that should not be displayed based on different sessions (e.g., past Private Browsing Mode sessions that should have been discarded or sessions in a different browsing mode).

The notification permission is granted per application currently. With the work required for Android 13 to switch to runtime permissions for notifications, we could also introduce separate notification channels for different browsing contexts.

The per-app permission is the per-app permission: websites can't detect that. Assuming you've granted the permission to the app, and then grant it to an origin in Normal browsing (say, your webmail or chat site), does a private browsing session on the same origin get that permission or does it have to ask the user separately?

Flags: needinfo?(csadilek)

The per-app permission is the per-app permission: websites can't detect that.

Sure, sorry for the terse comment#1. Fenix currently stores Notifications permissions per app (OS permission) and per origin (Gecko storage), but not per browsing context. We should fix both, in my opinion. Even the global app permissions could be separate for private browsing mode, but this bug is mainly about the latter.

does a private browsing session on the same origin get that permission or does it have to ask the user separately?

For Notifications it currently gets it. Jon and I looked into this today and we'll file tickets for the changes we need tomorrow. This is mitigated in my testing because service workers don't run in private browsing, which would mostly trigger notifications. For other permissions, e.g., location, we display a "Remember decision for this site" checkbox, and once checked they will apply to private browsing as well. Both is wrong. We should ask again for private browsing mode.

Flags: needinfo?(csadilek)
Depends on: 1788720
Severity: -- → N/A
Priority: -- → P2
Whiteboard: [geckoview:m107]
Assignee: nobody → amejiamarmol
Priority: P1 → P2

108

status-firefox106: affectedwontfix
Whiteboard: [geckoview:m107] → [geckoview:m107] [geckoview:m108]
Component: Security: Android → General

Daniel, this bug is marked as a security issue, but it has no sec- rating keyword. What priority do you recommend?

Flags: needinfo?(dveditz)
Priority: P2 → --

sec-moderate.

I thought site permissions were handled by Gecko (not the UI part, obviously) and already handled origin attributes. Is Fenix rolling it's own?

Flags: needinfo?(dveditz)
Keywords: csectype-disclosure, privacy, sec-moderate

P2 for sec-moderate bug

I thought site permissions were handled by Gecko (not the UI part, obviously) and already handled origin attributes. Is Fenix rolling it's own?

Fenix handles (some?) site permissions in the front end app. IIUC, GeckoView's original design was to be stateless, with no shared user profiles, but that caused a lot of code duplication so we've backed away from that design.

Severity: N/A → S3
Priority: -- → P2

The AC patch that address this bug just landed on 109, the Fenix patch will land just after the new AC nightly version is available.

The Fenix patch landed on 109, the fix should be available the next Fenix nightly update.

Is this something we were thinking we'd eventually want to uplift to 108?

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox109: --- → fixed
Flags: needinfo?(amejiamarmol)
Resolution: --- → FIXED

I think we could let it ride the trains.

Flags: needinfo?(amejiamarmol)

Verified as fixed on Nightly 109.0a1 from 12/06 with OnePlus 9 Pro (Android 12). The user's allow/deny selection in Normal Browsing Mode is not carried over to Private Browsing Mode in Notification Permission.
If permission for Notifications was previously granted in Normal Browsing, when switching to Private and tapping the Notifications button, a dialog appears asking for the SITE's permission to send notifications.

Status: RESOLVED → VERIFIED
status-firefox109: fixedverified
Whiteboard: [geckoview:m107] [geckoview:m108] → [geckoview:m107] [geckoview:m108][adv-main109+]
Alias: CVE-2023-23600
Group: core-security-release
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: