Closed Bug 825695 Opened 12 years ago Closed 12 years ago

Firefox for Android logs URLs via the android.util.Log class in multiple locations

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 825685

People

(Reporter: abillings, Unassigned)

Details

Attachments

(1 file)

proof-of-concept Android service that records logs
1.52 KB, application/octet-stream
Details 
Neil Bergman (nbergman@cigital.com) reported the following:

The Firefox Browser for Android logs URLs via the android.util.Log class in multiple locations.  Therefore, any malicious application (malware or advertising libraries) on the mobile device with the android.permission.READ_LOGS could record this information.  URLs themselves are interesting since they reveal the browsing history of the user, but URLs could also contain sensitive request parameters such as usernames, email addresses, session identifiers, or passwords that could lead to account compromise depending on how the web application is written and deployed.
 
The following are example logs acquired using logcat that shows that Firefox logs URLs in a number of different locations.

D/GeckoFavicons(17773): Creating LoadFaviconTask with URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US and favicon URL = null

D/GeckoFavicons(17773): Calling loadFavicon() with URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US and favicon URL = null (1)

D/GeckoFavicons(17773): Calling getFaviconUrlForPageUrl() for https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US

D/GeckoFavicons(17773): Downloading favicon for URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US with favicon URL = https://profile.ea.com/favicon.ico

D/GeckoFavicons(17773): LoadFaviconTask finished for URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US (1)

I/GeckoBrowserApp(17773): Favicon successfully loaded for URL = https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB

I/GeckoBrowserApp(17773): Favicon is for current URL = https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB

E/GeckoConsole(17773): [JavaScript Warning: "Error in parsing value for 'background'.  Declaration dropped." {file: "https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB?wicket:bookmarkablePage=:com.wm.mobile.web.rx.privacy.PrivacyPractices" line: 0}]

I/GeckoApp(17773): link rel - [canonical], href - http://www.cnn.com/, size - 0

I/GeckoApp(17773): link rel - [shortcut] [icon], href - http://www.cnn.com/favicon.ie9.ico, size - 0

I/GeckoApp(17773): link rel - [search], href - http://www.cnn.com/tools/search/cnncom.xml, size - 0

I/GeckoApp(17773): link rel - [search], href - http://www.cnn.com/tools/search/cnncomvideo.xml, size - 0

I/GeckoApp(17773): link rel - [apple-touch-icon], href - http://i.cdn.turner.com/cnn/.e/img/3.0/global/misc/apple-touch-icon.png, size - 0

I/GeckoApp(17773): link rel - [alternate], href - http://rss.cnn.com/rss/cnn_topstories.rss, size - 0

I/GeckoApp(17773): link rel - [alternate], href - http://rss.cnn.com/rss/cnn_latest.rss, size - 0

I/GeckoApp(17773): link rel - [alternate], href - http://edition.cnn.com/, size - 0

I/GeckoApp(17773): link rel - [alternate], href - http://arabic.cnn.com/, size - 0

I/GeckoApp(17773): link rel - [alternate], href - http://mexico.cnn.com/, size - 0

I've included a proof-of-concept Android service that records logs that appear to have URLs, session identifiers, or passwords, and writes this information to the SD card (requires android.permission.READ_LOGS and android.permission.WRITE_EXTERNAL_STORAGE permissions).  Actual malicious software would most likely send this information to a web server.
Flags: sec-bounty?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty?
Group: core-security
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: