Information Leakage via Logcat

RESOLVED DUPLICATE of bug 799936

Status

()

Firefox for Android
General
RESOLVED DUPLICATE of bug 799936
5 years ago
4 years ago

People

(Reporter: Neil Bergman, Unassigned)

Tracking

17 Branch
x86_64
Windows 7
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 696804 [details]
UriGrabber proof-of-concept source code.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11

Steps to reproduce:

The Firefox Browser for Android logs URLs via the android.util.Log class in multiple locations.  Therefore, any malicious application (malware or advertising libraries) on the mobile device with the android.permission.READ_LOGS could record this information.  URLs themselves are interesting since they reveal the browsing history of the user, but URLs could also contain sensitive request parameters such as usernames, email addresses, session identifiers, or passwords that could lead to account compromise depending on how the web application is written and deployed.

The following are example logs acquired using logcat that shows that Firefox logs URLs in a number of different locations.

D/GeckoFavicons(17773): Creating LoadFaviconTask with URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US and favicon URL = null
D/GeckoFavicons(17773): Calling loadFavicon() with URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US and favicon URL = null (1)
D/GeckoFavicons(17773): Calling getFaviconUrlForPageUrl() for https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US
D/GeckoFavicons(17773): Downloading favicon for URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US with favicon URL = https://profile.ea.com/favicon.ico
D/GeckoFavicons(17773): LoadFaviconTask finished for URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US (1)

I/GeckoBrowserApp(17773): Favicon successfully loaded for URL = https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB
I/GeckoBrowserApp(17773): Favicon is for current URL = https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB
E/GeckoConsole(17773): [JavaScript Warning: "Error in parsing value for 'background'.  Declaration dropped." {file: "https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB?wicket:bookmarkablePage=:com.wm.mobile.web.rx.privacy.PrivacyPractices" line: 0}]

I/GeckoApp(17773): link rel - [canonical], href - http://www.cnn.com/, size - 0
I/GeckoApp(17773): link rel - [shortcut] [icon], href - http://www.cnn.com/favicon.ie9.ico, size - 0
I/GeckoApp(17773): link rel - [search], href - http://www.cnn.com/tools/search/cnncom.xml, size - 0
I/GeckoApp(17773): link rel - [search], href - http://www.cnn.com/tools/search/cnncomvideo.xml, size - 0
I/GeckoApp(17773): link rel - [apple-touch-icon], href - http://i.cdn.turner.com/cnn/.e/img/3.0/global/misc/apple-touch-icon.png, size - 0
I/GeckoApp(17773): link rel - [alternate], href - http://rss.cnn.com/rss/cnn_topstories.rss, size - 0
I/GeckoApp(17773): link rel - [alternate], href - http://rss.cnn.com/rss/cnn_latest.rss, size - 0
I/GeckoApp(17773): link rel - [alternate], href - http://edition.cnn.com/, size - 0
I/GeckoApp(17773): link rel - [alternate], href - http://arabic.cnn.com/, size - 0
I/GeckoApp(17773): link rel - [alternate], href - http://mexico.cnn.com/, size - 0

I've included a proof-of-concept Android service that records logs that appear to have URLs, session identifiers, or passwords, and writes this information to the SD card (requires android.permission.READ_LOGS and android.permission.WRITE_EXTERNAL_STORAGE permissions).  Actual malicious software would most likely send this information to a web server.



Expected results:

The application should avoid logging any sensitive data.
I think all of the examples you quote were fixed by bug 770912 (fixed for Firefox 18). This is probably a dupe?
Duplicate of this bug: 825695
Flags: sec-bounty?
(In reply to Neil Bergman from comment #0)
> E/GeckoConsole(17773): [JavaScript Warning: "Error in parsing value for
> 'background'.  Declaration dropped." {file:
> "https://mobile.walmart.com/m/pharmacy;
> jsessionid=83CB330691854B071CD172D41DC2C3AB?wicket:bookmarkablePage=:com.wm.
> mobile.web.rx.privacy.PrivacyPractices" line: 0}]

I haven't looked through all the examples to see if kats's patch in bug 770912 fixes them, but I definitely don't see a fix for this one. :(
(In reply to Reed Loden [:reed] from comment #3)
> (In reply to Neil Bergman from comment #0)
> > E/GeckoConsole(17773): [JavaScript Warning: "Error in parsing value for
> > 'background'.  Declaration dropped." {file:
> > "https://mobile.walmart.com/m/pharmacy;
> > jsessionid=83CB330691854B071CD172D41DC2C3AB?wicket:bookmarkablePage=:com.wm.
> > mobile.web.rx.privacy.PrivacyPractices" line: 0}]
> 
> I haven't looked through all the examples to see if kats's patch in bug
> 770912 fixes them, but I definitely don't see a fix for this one. :(

We only plan to fix this error console logging for private browsing tabs. See bug 799936.
Attachment #696804 - Attachment mime type: text/plain → application/rar
Group: core-security
Anyone have a problem with duping this to bug 799936 ?
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Mark Finkle (:mfinkle) from comment #5)
> Anyone have a problem with duping this to bug 799936 ?

Have you confirmed that all the issues mentioned above (except the other one) were fixed by kats's patch?
(In reply to Reed Loden [:reed] from comment #6)
> (In reply to Mark Finkle (:mfinkle) from comment #5)
> > Anyone have a problem with duping this to bug 799936 ?
> 
> Have you confirmed that all the issues mentioned above (except the other
> one) were fixed by kats's patch?

Yes. I checked the current m-c repo for the Log calls generating the other output. All were removed.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 799936
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.