Open Bug 2023970 Opened 3 months ago Updated 2 months ago

about:support can leak PII via audio device names

Categories

(Core :: Audio/Video: cubeb, defect, P2)

Product:
Core
Component:
Audio/Video: cubeb
Platform:
Desktop
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox150 --- affected

People

(Reporter: mbeier, Unassigned)

References

Details

Audio device names can contain PII which gets exported when copying the table or JSON in about:support. We should keep showing them in the table but not include the parts with PII when exporting.

The problem is especially common on Apple devices because their names include the user's real name by default, e.g., "Tom's AirPods".

Component: General → Web Audio
Product: Toolkit → Core
Severity: -- → S2
Priority: -- → P2

Moritz, will you be picking this up or will the media team need to look at this?

Flags: needinfo?(mbeier)

I can write a patch but do you have an idea that doesn't involve censoring all audio device names? I first thought you could check if the vendor is Apple Inc. but it looks like the vendor field is empty on some apple devices (and of course other device names could also contain PII).

Flags: needinfo?(mbeier) → needinfo?(jmathies)

That would probably be bad. Karl, we have some private info getting exposed through about:support text and we want to try and obfuscate it without impacting our ability to debug. Care to comment here? You might have some thoughts.

Flags: needinfo?(jmathies) → needinfo?(karlt)
See Also: → CVE-2020-6812

If device names were always English, we could strip to the apostrophe and 's'.
I haven't verified, but Gemini thinks that this is localized to other languages such as French "iPhone de [Nom]".

I considered presenting cubeb_device_info::device_id instead, but that can contain specific hardware identifiers such as bluez_output.08_EB_ED_75_BE_6B.1 which is perhaps worse.

Bug 1616661 special cased "AirPods". I guess the number of Apple products might be finite at any one time, but this seems problematic to need to keep up to date.

We might need to ask users for a screenshot of the Output/Input Devices section, instead of copying to clipboard, if we need to know the devices.

ni?padenot in case he has any other ideas.

Component: Web Audio → Audio/Video: cubeb
Flags: needinfo?(karlt) → needinfo?(padenot)

We discussed redacting the name when the transport is Bluetooth, this will catch all cases. It will be a little bit annoying sometimes, but that's life. I don't know of a wired (usb -- TRS can't have the issue) headphone that does this, but it's possible that e.g. Airpod Max have a name with the owner (I don't own a pair).

Apple isn't alone in doing this, I know Samsung true wireless earbuds do the same at the very least, probably others.

For reference in French, it says: "Airpods de Paul" (Literally "Airpods of Paul") as Karl/Gemini says, so pattern matching is going to be hard and will need a long list (to catch all brands).

Cubeb doesn't expose transport in cubeb_device_info, but this is fixable without too much trouble. Our backends internally know the transport, this is used for other reasons (mostly matching the right input/output devices in bluetooth accross profiles, and sometimes using deeper buffers to avoid glitches).

Flags: needinfo?(padenot)

Andreas pointed out that a remote phone microphone is not necessarily connected via bluetooth, so we'd need to bucket network transport devices.

You need to log in before you can comment on or make changes to this bug.