Closed
Bug 863332
Opened 11 years ago
Closed 11 years ago
Private Browsing will use existing (app)cache during private browsing sessions [VN: JVN#34899401 / TN: JPCERT#93478616]
Categories
(Firefox :: Private Browsing, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 725792
People
(Reporter: abillings, Unassigned)
Details
(Keywords: privacy)
There is a report that Firefox 19 and 20 on XP will re-use the cached information for a site from outside of a private browsing session within a subsequent private browsing session. The Security Assurance team received the following message from Takayuki Uchiyama of JPCERT/CC: Subject: VN: JVN#34899401 / TN: JPCERT#93478616 Date: Thu, 18 Apr 2013 16:41:16 +0900 (JST) From: JPCERT/CC <vuls@jpcert.or.jp> To: Mozilla Security Team <security@mozilla.org> Dear Mozilla Security Team, This is Takayuki Uchiyama of JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) Vulnerability Handling Team. We have received a vulnerability report for one of your products: - Firefox application cache usage issue I have attached the details of the reported vulnerability at the end of this email. Please take a look at the report and return to us with the information such as; -validate the products, and whether the reported vulnerability is confirmed or not -solutions (e.g., patch or module update) -workarounds if any -estimated time for creation of fixes -preferable date for public release on your site *we will also publish an advisory for this issue on our vulnerability knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/, synchronizing with your release schedule. **Caution** We have assigned the tracking number for this vulnerability issue; [VN: JVN#34899401 / TN: JPCERT#93478616] Please be sure to include these numbers in the subject line for future communication with us. We appreciate your cooperation on this. If you have any questions and concerns, please do not hesitate to contact us any time. Thank you in advance for your attention on this matter. We are looking forward to hearing from you. Sincerely yours, Takayuki Uchiyama JPCERT/CC Vulnerability Handling Team ---------------------------------------------------------------------- ** Report description ** ---------------------------------------------------------------------- [Reference Number] JVN#34899401 [Title] - Firefox application cache usage issue [Reporter Related Information] - Yosuke Hasegawa (NetAgent Co.,Led.) [Vulnerability Information] - This vulnerability was found by the reporter - Product Name: Mozilla Firefox for Windows Version: release channel / 18.0.2 Language: Japanese Settings: Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0 Product Name: Mozilla Firefox for Windows Version: beta channel / 19.0 Language: Japanese Settings: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0 - Description: Private browsing function does not use cache appropriately - Reproduction Procedure: (1) Access a Website that uses HTML5 application cache with the private browsing function "off" (2) A message asking whether to store resources specified by the cache manifest as offline cache will appear. Click the option to allow. (3) Turn "on" the private browsing function and access the site from step (1) (4) The offline cache stored from step (2) is used [Possible Impacts] - Offline cache stored when the private browsing function is turned "off" is used even after the private browsing function is turned "on". As a result, if JavaScript or other code that can identify a user is stored as offline cache when the private browsing function is "off", a user may be identified even if the private browsing function is "on" For example, if a JavaScript file that contains identifiers for each user: document.cookie="session=0123456789ABCDEF"; is saved as offline cache, and when a user visits the same site with the private browsing function "on", the site is able to determine the user. This is not the intended behavior for the private browsing function. [Possible Workarounds] - Users can manually clear the cache prior to using the private browsing function [Proof-of-Concept Code] - None [Other Information] - None [Report Validation and Comments from IPA] - The vulnerability was verified in the following environment: Server (172.16.133.85) ------------------------------- OS: Ubuntu 12.04 Related software: Apache 2.2.22 (Ubuntu) Settings: When accessing http://172.16.133.85/appcache/cache.html in order to take in the application cache, place the following 4 files in a public directory. Refer to the attachment for the contents of each file. ----------------- .htaccess cache.html cache.js sample.appcache ----------------- The contents of cache.js is as follows: ----------------- document.cookie= 'userid=123456789; expires=' + new Date(2014, 1).toUTCString(); ----------------- ------------------------------- Client ------------------------------- OS: Windows XP Professional SP3 Japanese Target Software: Firefox 19.0 Firefox 20.0 beta Settings: The target software is with default settings ------------------------------- Reproduction Procedure: 1. Enable the private browsing function in Firefox 2. Access the following URL using Firefox: ------------------------------------------------------- http://172.16.133.85/appcache/cache.html ------------------------------------------------------- 3. When the following message is displayed, click "Allow" cache.js, included in the data to be cached, will be executed and the Cookie will be set. ------------------------------------------------------- This website [172.16.133.85] is asking to store data on your computer for offline use. ------------------------------------------------------- 4. Verfiy that the Cookie (userid:123456789) for the site 172.16.133.85 is saved in Firefox 5. Disable the Private Browsing function in Firefox. The Cookie is deleted at this time. 6. Cut the PC from the network and put it into Offline status. 7. Access the following URL using Firefox: ------------------------------------------------------- http://172.16.133.85/appcache/cache.html ------------------------------------------------------- As a result, cache.js saved as part of the "Offline work data" saved in step 3 is executed and verify that the Cookie (userid:123456789) for the site 172.16.133.85 is set. The above reproduction was done using Firefox 19.0 and 20.0 beta. As a result, it was verified that both versions were able to track users using Cookie regardless of the status (enable/disable) of the Private Browsing function. Comments: The Cookie is set using cache.js, contained in the application cache (Offline work data) saved in step 3. However, by changing the Cookie contents per user (*1), may allow the tracking of users (*2). *1 For example, change the Cookie contents according to the url parameter value or date of access, etc. *2 Unless the server updates the cache manifest (sample.appcache) Firefox will use the cached file cache.js Note that when Steps 1 & 5 were shuffled, the "Offline work data" was not used. In Firefox, the First-party Cookie for the same site is used as follows. However, when leveraging this issue, a Cookie using application cache can track users regardless of the status (enable/disable) of the Private Browsing function. We believe that this is not intended behavior of the handling of Cookies by the Private Browsing function. ----------------------------------------------------------- Cookie set when PB is off => Cookie destroyed when PB is turned on => Cookie is restored when PB is turned on Cookie set when PB is on => Cookie destroyed when PB is turned off => Cookie is NOT restored when PB is turned on * PB = Private Browsing Function ----------------------------------------------------------- [Comments from JPCERT/CC] - None ---------------------------------------------------------------------- ====================================================================== JPCERT Coordination Center (JPCERT/CC) TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls@jpcert.or.jp PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
|
||
Comment 1•11 years ago
|
||
I believe this is a common confusion between the (local) Private Browsing we implemented and the (network) Anonymous Browsing people want it to be. CC'ing Sid to get his take on the report.
Summary: Private Browsing will use existing cache during private browsing sessions → Private Browsing will use existing (app)cache during private browsing sessions
|
||
Comment 2•11 years ago
|
||
I think there are two separate issues being reported here. Based on the title of this bug, the behavior is is intended. Caches from public mode can be used while in private mode. Private browsing only attempts to prevent traces of "what I did while in private mode" from bleeding over into other users' sessions on the same device. It's not a guest mode (but maybe it should be). The second situation is what may be problematic. If things cached during PB use are kept after the user exits PB, then future users of Firefox can tell I went to that site. The report suggests this is the case near the bottom in "reproduction procedure". We might consider, while in PB mode, keeping appcache entries only in memory and purging those when exiting PB mode.
|
||
Comment 3•11 years ago
|
||
This bug is just about appcache not respecting PB mode. It's a dupe of bug 725792, and is not security sensitive at all.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•11 years ago
|
Group: core-security
|
|
||
Updated•11 years ago
|
Keywords: privacy
Summary: Private Browsing will use existing (app)cache during private browsing sessions → Private Browsing will use existing (app)cache during private browsing sessions [VN: JVN#34899401 / TN: JPCERT#93478616]
You need to log in
before you can comment on or make changes to this bug.
Description
•