Closed Bug 1967702 Opened 9 months ago Closed 9 months ago

Private tabs are accessible without authentication when opening a link in a private tab from a non-private page

Categories

(Firefox for Android :: Privacy, defect)

Product:
Firefox for Android
Component:
Privacy
Version:
Firefox 140
Platform:
All
Android
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox138 --- unaffected
firefox139 --- unaffected
firefox140 + verified
firefox141 --- verified

People

(Reporter: vtamas, Assigned: mavduevskiy)

References

Details

(Whiteboard: [fxdroid][group2])

Attachments

(4 files)

OpenLinkInPrivateTab.mp4
6.80 MB, video/mp4
Details
Bug 1967702 - Update appstate from BaseBrowserFragment
48 bytes, text/x-phabricator-request
Details | Review
Bug 1967702 - Update appstate from BaseBrowserFragment
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
20250530_143102.mp4
4.70 MB, video/mp4
Details

Preconditions

Lock tabs feature is enabled.

Steps to reproduce

  1. Open at least one private tab.
  2. Switch to non-private mode.
  3. Minimize and restore the app.
  4. Navigate to a webpage in normal browsing, long tap on a link and select "Open link in new tab"
  5. Tap on "Switch" button from snackbar.
  6. Swipe the address bar in order to visit the other opened private tabs.

Expected behavior

Biometric authentication is prompted either before opening a link in private mode or when swiping to access already opened private tabs.

Actual behavior

Biometric authentication is not required, allowing private tabs to be accessed by swiping the address bar.

Device information

  • Firefox version: Firefox for Android Nightly 140 (2025-05-20)
  • Android device model: Samsung S24 Ultra (Android 14), Google Pixel 8 (Android 15)

Additional information

This issue is also reproducible when opening a top site from homescreen by long tapping and selecting "Open in private tab".

Whiteboard: [fxdroid][group2]
Assignee: nobody → gmalekpour

There are multiple cases when switching between private tabs results in incorrect appstate since mainly update it from the homepage (and tabstrip) but BrowserFragment is relying on BrowserModeManager and appstate isn't being updated.

I believe that's a safe change. Reads happen on HomeFragment after it updated the appstate.mode during onCreateView so we don't interfier with existing flow. This targets specifically tab page, that doesn't have logic related to appstate.mode.

Also, there are cases of updating state from the tabstrip and tabstraycontroller, so I don't expect new side-effects.

Attachment #9491087 - Attachment description: WIP: Bug 1967702 - Update appstate from BaseBrowserFragment → Bug 1967702 - Update appstate from BaseBrowserFragment
Assignee: gmalekpour → mavduevskiy
Flags: qe-verify+
Pushed by gmalekpour@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6355f5807d0a Update appstate from BaseBrowserFragment r=android-reviewers,twhite,gmalekpour

https://hg.mozilla.org/mozilla-central/rev/6355f5807d0a

Status: NEW → RESOLVED
Closed: 9 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch

The patch landed in nightly and beta is affected.
:mavduevskiy, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(mavduevskiy)

There are multiple cases when switching between private tabs results in incorrect appstate since mainly update it from the homepage (and tabstrip) but BrowserFragment is relying on BrowserModeManager and appstate isn't being updated.

I believe that's a safe change. Reads happen on HomeFragment after it updated the appstate.mode during onCreateView so we don't interfier with existing flow. This targets specifically tab page, that doesn't have logic related to appstate.mode.

Also, there are cases of updating state from the tabstrip and tabstraycontroller, so I don't expect new side-effects.

Original Revision: https://phabricator.services.mozilla.com/D251424

Attachment #9491516 - Flags: approval-mozilla-beta?

Requested uplift here https://phabricator.services.mozilla.com/D251724

firefox-beta Uplift Approval Request

  • User impact if declined: Without this patch, private tabs are accessible without authentication when opening a link in a private tab from a non-private page
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: Steps outlined in ticket 1967702
  • Risk associated with taking this patch: medium to low
  • Explanation of risk level: This impacts homepage and any othersurfaces using base browser fragment. However, without this change an attacker can gain access to a user's presumably locked private browsing so it is needed.
  • String changes made/needed: n/a
  • Is Android affected?: yes
Attachment #9491516 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attached video 20250530_143102.mp4

This issue is verified as fixed on Firefox for Android Nightly 141 (2025-05-29) using Samsung S24 Ultra (Android 14), Google Pixel 8 (Android 15) and Xiaomi 12T (Android 12). Confirming that the Biometric authentication is prompted when switching to Private Mode.

Status: RESOLVED → VERIFIED
status-firefox141: fixedverified
Flags: qe-verify+
Flags: needinfo?(mavduevskiy)
See Also: → 1967697
See Also: → 1967950
Blocks: 1967950

This issue is verified as fixed on Firefox 140 beta 5 on Samsung Galaxy S24 Ultra (Android 15) and Xiaomi 12T (Android 12). Confirming that the Biometric authentication is prompted when taping on "Switch" button from the snackbar.

status-firefox140: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: