Closed Bug 1853900 Opened 2 years ago Closed 2 years ago

[HackerOne] allows indexing other people's profiles

Categories

(Firefox Profiler :: Security, defect)

Product:
Firefox Profiler
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: frida, Unassigned)

References

Details

(Keywords: csectype-disclosure, reporter-external, sec-low)

Link: https://hackerone.com/reports/2146579
Date: 2023-09-13 12:13:21 UTC
By: novan78
Weakness: Misconfiguration

Details:
previously I really didn't know whether this could be called a vulnerability or not, because I didn't know what the function profiler.firefox.com

but instead of continuing to ask myself it's better if I send it to get new experiences even though I know maybe my report will be closed as informative or N/A

The vulnerability is that it allows viewing of other people's Firefox profiles, see PoC below:
https://web.archive.org/cdx/search/cdx?url=profiler.firefox.com/*&collapse=urlkey&output=text&fl=original

https://profiler.firefox.com/public/zhhz3ghqj00sh11cmngp8knqa29xwnt3v3yhr9g/flame-graph/?globalTrackOrder=0-1&localTrackOrderByPid=8003-1-0~8288-0~&thread=2&v=5

{F2695083}

repair
contact the archive internet so as not to index profiler.firefox.com
add in the file robots.txt

User-agent: *
Disallow: /

adding a <meta> tag into your HTML page to tell search engines not to index that page

If you are using an Apache server, you can configure the .htaccess file to block search engine indexing.

Header set X-Robots-Tag "noindex, nofollow"

Impact

view other people's profiles

Group: websites-security → firefox-core-security
Component: Other → Security
Product: Websites → Firefox Profiler

Hello Julien,

Can you please take a look at this report? The reporter found a large number of profiles indexed in the internet archive, I see that those profiles might have been meant to be shared publicly but I wanted to confirm with you that this is ok.

I see that there is an option to re-upload the profile, what would be the impact if someone overrides these profiles?

Unfortunately, internet archive does not honor the no indexing directives for robots, but we have the option to request IA not to archive those links.

Thanks,
Frida

Flags: needinfo?(felash)
See Also: → https://hackerone.com/reports/2146579

Hey Frida, thanks for the report!

Is it safe to assume that if they are on the internet archive, it means their URL is linked from some other webpage? If that's the case, then I believe they're meant to be public. Not all uploaded profiles are meant to be public, but I'd assume that the not-public ones wouldn't be linked from other webpages and therefore wouldn't be on the internet archive.

Also, I tried a few of the links from the list in internet archive, and they don't work there. There's a JS error I don't understand really...

Finally, it's good to remember that the actual data isn't stored on profiler.firefox.com but on Google Cloud, and I'm not sure that is indexed in IA.

I see that there is an option to re-upload the profile, what would be the impact if someone overrides these profiles?

Every new upload generates a new ID on the server side, so there's no way to overwrite an existing profile unless there's a collision (and we use 24 bytes of randomness so this is very unlikely).
Only the person who uploaded a profile can delete it (a JWT is stored on the client side to ensure this).

I wonder I see that there is an option to re-upload the profile, what would be the impact if someone overrides these profiles?

I believe we made it clear in the profiler's sharing panel that the shared data is public, the text is like this:
"Upload your profile and make it accessible to anyone with the link."
If you think this could be improved, we can definitely adjust this text.

What do you think?

Flags: needinfo?(felash)

Thanks Julien.

The reporter pointed out something and I agree with them, the text mentions that those profiles can be accessible with anyone with the link which means that those links should not be indexed or archived to prevent the profiles from being accessed publicly.

On first glance, I didn't see any information about the user who shared the profile, however, in the network tab, I can see the sites visited by the user, is that correct? I am looking at this link, https://profiler.firefox.com/public/cq39b3t8627wf7ccvq3re5q9cccakhsxpz6stvr/calltree/.

Regarding the point on how the links ended up in internet archive, we received many similar reports and we don't understand how this is happening. IA indexes pages and URLs when someone asks IA to archive a page but IA should not crawl for similar URLs and archive them, we already asked them about this issue and they didn't give us any useful information.

I recommend that we prevent indexing for those links, by adding a robots.txt file or directives in the HTML to disallow indexing. I can also request IA not to archive those URLs.

Thanks,
Frida

If I understand properly, the issue is that IA references these URLs, and therefore we can access them directly. The issue is not that we can access then through the IA frontend.

Ideally we would still index the homepage and our documentation, but we can disallow indexing /public/ and other similar paths.

If I understand properly, the issue is that IA references these URLs, and therefore we can access them directly

yes exactly. Since we're saying that anyone with access to the link can view the profile and if we continue to allow those links to be indexed then they will be shared publicly.

The robots.txt has been deployed => https://profiler.firefox.com/robots.txt <= Note that you might not see it in Firefox because of the service worker, but you can check it works using curl.

sounds good, I also sent a request to IA not to archive links on those paths.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Internet Archive removed indexed profile URLs from the archive.

Group: firefox-core-security → core-security-release
Type: enhancement → defect
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.