Closed
Bug 825695
Opened 12 years ago
Closed 12 years ago
Firefox for Android logs URLs via the android.util.Log class in multiple locations
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 825685
People
(Reporter: abillings, Unassigned)
Details
Attachments
(1 file)
1.52 KB,
application/octet-stream
|
Details |
Neil Bergman (nbergman@cigital.com) reported the following: The Firefox Browser for Android logs URLs via the android.util.Log class in multiple locations. Therefore, any malicious application (malware or advertising libraries) on the mobile device with the android.permission.READ_LOGS could record this information. URLs themselves are interesting since they reveal the browsing history of the user, but URLs could also contain sensitive request parameters such as usernames, email addresses, session identifiers, or passwords that could lead to account compromise depending on how the web application is written and deployed. The following are example logs acquired using logcat that shows that Firefox logs URLs in a number of different locations. D/GeckoFavicons(17773): Creating LoadFaviconTask with URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US and favicon URL = null D/GeckoFavicons(17773): Calling loadFavicon() with URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US and favicon URL = null (1) D/GeckoFavicons(17773): Calling getFaviconUrlForPageUrl() for https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US D/GeckoFavicons(17773): Downloading favicon for URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US with favicon URL = https://profile.ea.com/favicon.ico D/GeckoFavicons(17773): LoadFaviconTask finished for URL = https://profile.ea.com/login.do?authenticationSource=EA-JForums&surl=http://forum.ea.com/eaforum/categories/list.page&remoteurl=http://forum.ea.com/eaforum/gusUser/login.page;jsessionid=C4EEDEE9DB467855370652ECEECFABEC&selectprofile=true&locale=en_US (1) I/GeckoBrowserApp(17773): Favicon successfully loaded for URL = https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB I/GeckoBrowserApp(17773): Favicon is for current URL = https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB E/GeckoConsole(17773): [JavaScript Warning: "Error in parsing value for 'background'. Declaration dropped." {file: "https://mobile.walmart.com/m/pharmacy;jsessionid=83CB330691854B071CD172D41DC2C3AB?wicket:bookmarkablePage=:com.wm.mobile.web.rx.privacy.PrivacyPractices" line: 0}] I/GeckoApp(17773): link rel - [canonical], href - http://www.cnn.com/, size - 0 I/GeckoApp(17773): link rel - [shortcut] [icon], href - http://www.cnn.com/favicon.ie9.ico, size - 0 I/GeckoApp(17773): link rel - [search], href - http://www.cnn.com/tools/search/cnncom.xml, size - 0 I/GeckoApp(17773): link rel - [search], href - http://www.cnn.com/tools/search/cnncomvideo.xml, size - 0 I/GeckoApp(17773): link rel - [apple-touch-icon], href - http://i.cdn.turner.com/cnn/.e/img/3.0/global/misc/apple-touch-icon.png, size - 0 I/GeckoApp(17773): link rel - [alternate], href - http://rss.cnn.com/rss/cnn_topstories.rss, size - 0 I/GeckoApp(17773): link rel - [alternate], href - http://rss.cnn.com/rss/cnn_latest.rss, size - 0 I/GeckoApp(17773): link rel - [alternate], href - http://edition.cnn.com/, size - 0 I/GeckoApp(17773): link rel - [alternate], href - http://arabic.cnn.com/, size - 0 I/GeckoApp(17773): link rel - [alternate], href - http://mexico.cnn.com/, size - 0 I've included a proof-of-concept Android service that records logs that appear to have URLs, session identifiers, or passwords, and writes this information to the SD card (requires android.permission.READ_LOGS and android.permission.WRITE_EXTERNAL_STORAGE permissions). Actual malicious software would most likely send this information to a web server.
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Flags: sec-bounty?
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•12 years ago
|
Flags: sec-bounty?
Updated•9 years ago
|
Group: core-security
Assignee | ||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•