loading...

Breaking bad to make good: Firefox CVE-2017–7843

konarkmodi profile image Konark Modi Originally published at Medium on ・3 min read

Private Browsing Mode (PBM)is one of the most widely known and used feature in not just Firefox but any major browser. Browsers are continuously trying to add more & more features to PBM to enhance users’ privacy.

The features offered might differ from one browser to another, but at the very least a user using PBM in any browser has two most basic expectations:

  1. Websites visited in private cannot save any data, and

  2. Visited pages are not saved.

Well, Firefox Private browsing mode was not meeting any of the above expectations.

Technical Details:

For a website to track a user across private-browsing sessions, it needs to use some persisted storage at the browser level.

There are multiple ways of storing data in browser: LocalStorage, WebSQL & IndexedDB.

I recently came across IndexedDB storage, although as per the documentation IndexedDB should not be available in PBM.

If you use IndexedDB directly on the webpage, it will throw an error:

But what happens if you combine IndexedDB with Web Workers?

Fallout:

IndexedDB can be accessed in PBM via Web Workers. Not only that, at browser shutdown it is not cleaned. This stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting.

  1. Websites: As a website, you can leverage IndexedDB & be able to track users across PBM session. So if you visit “A.com — which uses Webworkers + IndexedDB” in private browsing, close private browsing window, close Firefox, start Firefox, start private-browsing, visit A.com”, then “A.com” will still be able to access the data previously stored in IndexedDB.

  2. Third-parties: Let’s assume A.com loads analytics script from t.com, similarly B.com also loads t.com. Since t.com uses web workers + IndexedDB. t.com, t.com can now track users’ all PBM sessions across domains A.com, B.com and so on.

  3. Disk leaks: IndexedDB adheres to a same-origin policy which means every database has a name that identifies it within an origin. Because domain name is used as part of the file name this can have serious issues when used in private mode.

As an example: On visiting a test webpage which uses Web Worker + IndexedDB hosted on cdn.cliqz.com which loads a resource from konarkmodi.github.io the following two entries are created on disk.

Location of IndexedDB: <em>profile/storage lists Poc web pages.

Because of the above flaw, a website/tracker could effectively generate a fingerprint & save the fingerprint. Even on the “clear history” signal or the option “forget about this site”, this storage is not removed. Hence creating a permanent storage for a website or a tracker, that can be leveraged forever.

Report & Fixes:

Mozilla encourages security research for their products. In their own words:

“The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.”

I reported this issue in October 2017 via their Bug Bounty program . They were prompt to identify & fix the issues. This was fixed in November 2017 with Firefox 57.0.1.

For more details you can read the complete bug report at Mozilla’s Bugzilla.

I really appreciate Mozilla’s efforts and actions in fixing issues with highest priority when it comes to users’ privacy.

Happy Hacking !

- Konark Modi

Thanks for reading and sharing ! :)

Credits: Special thanks to Remi_ ,_ Pallavi for reviewing this post :)

Discussion

pic
Editor guide