Open Bug 1826842 Opened 1 year ago Updated 11 months ago

Visiting discord.gg invite link bypasses private browsing due to its local server

Categories

(Firefox :: Private Browsing, defect, P3)

Product:
Firefox
Component:
Private Browsing
Type:
defect

Tracking

()

People

(Reporter: nika, Unassigned)

Details

(Keywords: privacy, sec-want)

When visiting a Discord server's invite link within the browser, it appears the discord site accesses a server on the local machine, sending information about the site being loaded to the Discord client. By using this rather than normal external protocol handlers, this bypasses user interaction requirements and other private browsing protections, sending the information directly to the user's running Discord instance.

This appears to also impact chrome's Incognito mode, as neither blocks or requires user consent to send requests to URLs like loopback IP addresses.

Is this ultimately a networking issue, cf. bug 354493 and friends?

(In reply to :Gijs (he/him) from comment #1)

Is this ultimately a networking issue, cf. bug 354493 and friends?

Thanks, that's the bug I was looking for. Bug 1641357 looks similar too. Since it's public, should this bug be public too?

Blocking this on a network level makes sense to me. We could also ship a restriction to just private browsing windows assuming the issue is more critical there and that there is less breakage because fewer users expect / want their PBM to talk to local applications.

(In reply to :Gijs (he/him) from comment #1)

Is this ultimately a networking issue, cf. bug 354493 and friends?

Yeah, it's similar to that bug, but with the local network participating in the interaction. Not really a security issue to a certain extent, but for the private browsing "we don't leak your browsing history" POV it's a bit unfortunate.

I imagine that ideally when we're in PBM we'd be able to prompt the user and ask them for explicit consent for the given website to access resources from their local network/machine, stalling the network fetch until the user has approved/rejected the fetch, but perhaps that's a bit tricky to do. It seems similar to how we handle custom protocols for loading other local applications (like zoom links), but in quite a different way.

This sort of thing is also a potential risk for fingerprinting, as a site could e.g. detect whether or not you have discord installed.

EDIT: Yeah, this could probably be public, I just made it private out of an overabundance of caution.

There's a proposal to address bug 354493 attacks from malicious sites by requiring CORS, but in this case the discord site and the discord server work together so that won't help. Is it a discord bug that they ought to respect private browsing? Do we need to have an explicit "you're private" property sites can test? They can already figure it out but having an explicit value sends the message that we think they should check! Maybe that's a bad idea though and we're trying to address the leaky ways it's detected.

Group: firefox-core-security
Keywords: privacy, sec-want
Not accessible to reporter
Summary: Visiting discord.gg invite link bypasses private browsing → Visiting discord.gg invite link bypasses private browsing due to its local server

(In reply to Daniel Veditz [:dveditz] from comment #4)

There's a proposal to address bug 354493 attacks from malicious sites by requiring CORS, but in this case the discord site and the discord server work together so that won't help. Is it a discord bug that they ought to respect private browsing? Do we need to have an explicit "you're private" property sites can test?

We don't and I don't think we want to have one - PB should be transparent to websites, and it's a bug that it isn't. The main vector I'm aware of that inadvertently allows for detection right now is indexeddb, and people are actively working to close that gap, AIUI.

Maybe that's a bad idea though and we're trying to address the leaky ways it's detected.

Right. But the localhost server is bad for other reasons... we went over this with the zoom folks or one of the other external tools at one point, if I recall - the http server used usually has flaws of one variety or another. It may be more useful to reach out to discord and tell them "don't do that".

localhost is the new NPAPI plugin or ActiveX. Not so much for drawing content on the page as plugins typically did, but as a way for the page to interact with or control the local system. It's usually terrible

The severity field is not set for this bug.
:timhuang, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tihuang)
Severity: -- → S3
Flags: needinfo?(tihuang)
Priority: -- → P3

Sounds like a potential duplicate to bug 1641357?

You need to log in before you can comment on or make changes to this bug.