Flash cookies remembered outside Private Browsing




10 years ago
9 years ago


(Reporter: scott, Unassigned)



Firefox Tracking Flags

(Not tracked)



User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Cookies stored internally by the Adobe Flash Player that are set during a Private Browsing session are not removed at the termination of the session. This potentially poses a way for an attacker to craft a malicious Flash application to violate user privacy.

Reproducible: Always

Steps to Reproduce:
1. Begin a Private Browsing session.
2. Navigate to http://www.candystand.com/play/vector-td
3. Select a level and start a game.
4. Restart Firefox, but do not enable Private Browsing.
5. Return to URL above. 
Actual Results:  
The game will load the level you selected during the Private Browsing session.

Expected Results:  
The game will load its default level.
Whiteboard: DUPEME
Group: core-security
Depends on: 290456
Keywords: privacy
Whiteboard: DUPEME
This is basically a bug in Flash, not Mozilla. They need to hook into PB and respect its settings. Mozilla can't really police the privacy practices of 3rd party plugins.

See bug 471331, bug 290456.
(if there's a good one to dupe this to, someone please do so)
Closed: 10 years ago
Resolution: --- → INVALID
I understand your point about policing third-party plugins, of course. However,
at present Firefox is offering an open door to any third party developer to
completely ruin the entire point of Private Browsing.

Some of the comments at bug 290456 are right - there needs to be UI for
clearing this data. If not, perhaps third-party plugins should be given some
kind of space inside Firefox itself to store their data, which could be covered
by Clear Private Data/Private Browsing. I don't know.

Anyway, that's my 2c on the matter, which has made me feel much less confident
about using PB in general. Thanks.
I agree with your frustration here. I personally use a little Bash script to clean up the Flash stuff frequently, and the BetterPrivacy extension was written to solve this sort of issue as well. (mentioned in bug 290456 comment 21) The annoying truth is that whenever you install someone's software (including add-ons) you're at the mercy of their individual privacy practices.

The ideal route for this, of course, is for Adobe to implement Firefox's privacy systems on their end. (and if they want to they can reopen this to track things here) Fundamentally, though, this is not a valid Mozilla bug. I wish it was something Mozilla could just do; LSOs have always bugged me too. ;)
OS: Windows XP → All
Hardware: x86 → All
We (Adobe) are planning to support private browsing in a forthcoming release of Flash Player - we appreciate Mozilla (Josh Aas) proposing and implementing an NPAPI addition that will allow us to do this ! :D

We welcome co-operating with Mozilla to improve the privacy experience for those using the Flash Player in Firefox, as we welcome working with all browser vendors to maintain users' privacy on the web.
Depends on: 508167

The next big release for Adobe Flash Player, 10.1 will allow private browsing while web surfing in supported browsers.  Flash Player will automatically clear your flash history data off your computer once you terminate the session.

Adobe Flash Player will only work on supported web browsers with private browsing, including:

Mozilla Firefox 3.5+
You need to log in before you can comment on or make changes to this bug.