[FIX]Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox History Hack redux)

RESOLVED FIXED

Status

()

Core
Security
--
minor
RESOLVED FIXED
11 years ago
4 years ago

People

(Reporter: BenB, Assigned: bz)

Tracking

({fixed1.8.0.12, fixed1.8.1.4, privacy})

1.8 Branch
fixed1.8.0.12, fixed1.8.1.4, privacy
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Subject: Firefox Cache Hack - Firefox History Hack redux
From: "pdp (architect)" <pdp.gnucitizen@googlemail.com>
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
	"WASC Forum" <websecurity@webappsec.org>
Date: Fri, 23 Feb 2007 12:32:29 +0000
Message-ID: <6905b1570702230432q5a0a5b7eq4839d709748f9b90@mail.gmail.com>


http://www.gnucitizen.org/projects/hscan-redux/

[...]

This vulnerability is not a reworked version of Jeremiah Grossman
history hack. It is completely different and it should be treated as a
new issue. The peculiar thing about this vulnerability is that it
tells you which URLs you have attended during the current browser
session (the last time you opened your browser). I am not sure how
useful this is.

Keep in mind that attackers can abuse this vulnerability in order to
extract valuable information about your browsing habits. They can also
use this hack to precisely detect whether you are logged into your
router management interface. They can use this hack to detect your
router type and version as well. Based on this information, they might
be able to compromise the integrity of your network.

The POC is located [... below]. If all checks show up as NOT visited, then visit one of the listed URLs and retest again.

http://www.gnucitizen.org/projects/hscan-redux/poc.htm
(Reporter)

Comment 1

11 years ago
It seems you can only test for specific URLs, not really getting the list. Compare bug 147777.
So on trunk this doesn't work at all, because CheckLoadURI blocks the loads.  On branch, it doesn't because about: is a ChromeProtocol and <script> is allowed to load such on branch (because we want to allow loading of chrome:// scripts or something).

Now why the heck is about: a ChromeProtocol instead of a DenyProtocol?  It used to be the latter, but then the change to implement about:about in bug 56061 changed it.  The comments about the security implications of that change in that bug are completely bogus.  It allowed a heck of a lot more than chrome:// URIs to load about: URIs.  And more importantnly, chrome:// should already have the system principal, so on the 1.8 branch (where we use CheckLoadURIWithPrincipal in all the sane cases) we really don't need that change.
Created attachment 256194 [details] [diff] [review]
Fix
Assignee: dveditz → bzbarsky
Status: NEW → ASSIGNED
Attachment #256194 - Flags: superreview?(dveditz)
Attachment #256194 - Flags: review?(dveditz)
Summary: Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox History Hack redux) → [FIX]Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox History Hack redux)
Created attachment 256196 [details] [diff] [review]
Regression test

Comment 5

11 years ago
Why should <script> be able to load chrome:// ?
Long story which doesn't really belong here.  See bug 292789.
Comment on attachment 256194 [details] [diff] [review]
Fix

r/sr=dveditz
Attachment #256194 - Flags: superreview?(dveditz)
Attachment #256194 - Flags: superreview+
Attachment #256194 - Flags: review?(dveditz)
Attachment #256194 - Flags: review+
Note that this means on-disk help pages can't link to things like about:license or about:credits.  Not worth opening privacy holes for, but prepare for complaints.
Keywords: privacy
Attachment #256194 - Flags: approval1.8.1.3?
Attachment #256194 - Flags: approval1.8.0.11?
Not sure why this was filed as a trunk bug, since the issue is branch-only.
Version: Trunk → 1.8 Branch
> Note that this means on-disk help pages 

Hmm... Are those something we ship?
we (Mozilla) don't, no, but some distros/OEMs might. But then, I'm not sure they're linking to about: anything from there. Just thought I'd mention it in case it reminded someone of a similar use.
Comment on attachment 256194 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #256194 - Flags: approval1.8.1.4?
Attachment #256194 - Flags: approval1.8.1.4+
Attachment #256194 - Flags: approval1.8.0.12?
Attachment #256194 - Flags: approval1.8.0.12+
Fixed on both branches, tests checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Flags: in-testsuite+
Keywords: fixed1.8.0.12, fixed1.8.1.4
Resolution: --- → FIXED
Depends on: 936809
You need to log in before you can comment on or make changes to this bug.