Generation of HTTPS thumbs

RESOLVED DUPLICATE of bug 755996

Status

()

Firefox
Tabbed Browser
RESOLVED DUPLICATE of bug 755996
5 years ago
3 years ago

People

(Reporter: theshiftexchange, Unassigned)

Tracking

18 Branch
x86_64
Windows 7
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 710745 [details]
6ca8746c1b91b784ed63658648a9bfaf.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344

Steps to reproduce:

I've found that "newtab" thumbnails are generating screenshots of HTTPS websites, despite all the documentation stating that should not occur.

I am using the latest Firefox 18.0.2 version on Windows 7.


Actual results:

If you visit a secure HTTPS page, it is taking constant pictures of HTTPS data. Whilst the data is then NOT used in the newtabs screen - it is stored on my harddrive! This data is stored in the user firefox/profiles/xxxx.default/thumbnails folder.

I found that I could view a Google 2-Factor barcode - and the quality was high enough that my iPhone 5 would recognise the barcode from the 'screenshot' cached image!

I have attached a copy of this screenshot.

p.s. the 2-factor image + account is a 'throwaway' account - so there is no risk with you using this image to test on your iPhone or Android.


Expected results:

Obviously it should not take screenshots of HTTPS pages. Whilst the image is never used on the 'newtabs' page - the storage on the hard drive is dangerours and not needed.
Flags: sec-bounty?
Flags: needinfo?(ttaubert)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Component: Untriaged → Tabbed Browser
Resolution: --- → DUPLICATE
Duplicate of bug: 755996
The "documentation"(?) was maybe an announcement about the changes in bug 754608, which made the thumbnails follow the caching rules for https. Https pages can indeed be cached depending on whether or not they're marked "no-store". bug 755996 (and you, in this bug) says that's not good enough which may be true, but is already covered in bug 755996.
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(ttaubert)
(Reporter)

Comment 3

5 years ago
"The "documentation"(?) was maybe an announcement about the changes in bug 754608, which made the thumbnails follow the caching rules for https."

Well the "documentation" is VERY poorly worded then: http://support.mozilla.org/en-US/kb/thumbnails-on-new-tab-page-are-missing


"Why are the thumbnails not displayed?
Firefox stores the website thumbnails it displays on the New Tab page in temporary files on your computer. Some websites (such as HTTPS sites) don't allow files to be cached so they don't have a thumbnail. This ensures that no sensitive information is displayed when you are logged out. Also, clearing your browsing history (manually or automatically when Firefox closes) will delete thumbnails."

specifically this sentance; "Some websites (such as HTTPS sites) don't allow files to be cached so they don't have a thumbnail" - yet they DO have a thumbnail - you just dont SHOW the thumbnail - it is two VERY different things.

I'm aware that the site might still be cached - but simply showing a 'grey' screen and pretending the data is not there is NOT the same as the data not being there!
You need to log in before you can comment on or make changes to this bug.