nginx mozilla

by Konark Modi

通過Konark Modi

我發現Mozilla的私人瀏覽模式存在重大缺陷。 (I found a major flaw in Mozilla’s private browsing mode.)

If left unfixed this flaw could have wreaked havoc but Mozilla’s prompt fixes saved the day.

如果不加以解決，此缺陷可能會造成嚴重破壞，但Mozilla的及時修復可以節省大量時間。

In this article, I’ll discuss details of a bug I discovered with Mozilla Firefox private browsing mode that made it possible for private browsing sessions to be tracked.

在本文中，我將討論在Mozilla Firefox私有瀏覽模式下發現的一個錯誤的詳細信息，該錯誤使得可以跟蹤私有瀏覽會話。

Private Browsing is one of the most widely known and used features in modern browsers today. Browsers continually add many enhancements to private browsing to enhance the users’ privacy.

私人瀏覽是當今現代瀏覽器中最廣泛使用的功能之一。 瀏覽器不斷向私人瀏覽添加許多增強功能，以增強用戶的隱私。

The features offered might differ from one browser to another, but at the very least a user using private browsing has the two most basic requirements:

所提供的功能可能因一個瀏覽器而異，但是至少使用私有瀏覽的用戶具有兩個最基本的要求：

1. Websites visited in private cannot save any data

1.私下訪問的網站無法保存任何數據

2. Visited pages are not saved

2.訪問的頁面不保存

Well, I discovered that the Firefox browser Private browsing mode didn’t meet any of the above requirements.

好吧，我發現Firefox瀏覽器的“私有”瀏覽模式不滿足上述任何要求。

技術細節 (Technical Details)

For a website to track a user across private browsing sessions, it needs to use some persistent storage at the browser level.

為了使網站在私人瀏覽會話中跟蹤用戶，它需要在瀏覽器級別使用一些持久性存儲。

There are multiple ways of storing data in a browser - LocalStorage, WebSQL and IndexedDB.

在瀏覽器中有多種存儲數據的方式-LocalStorage ， WebSQL和IndexedDB 。

I recently came across IndexedDB storage.

我最近遇到了IndexedDB存儲。

IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs - Mozilla Developer Network

IndexedDB是用于客戶端存儲大量結構化數據(包括文件/ blob)的低級API - Mozilla開發人員網絡

Although, as per the documentation, IndexedDB should not be available in private browsing mode.

雖然，根據文檔，IndexedDB在私有瀏覽模式下不可用。

If you use IndexedDB directly on the webpage, it will throw an error:

如果直接在網頁上使用IndexedDB，它將引發錯誤：

But what happens if you combine IndexedDB with Web Workers?

但是，如果將IndexedDB與Web Workers結合使用會發生什么？

Web Workers makes it possible to run a script operation in background thread separate from the main execution thread of a web application - Mozilla Developer Network

Web Workers使得可以在與 Web應用程序的主執行線程分開的后臺線程中運行腳本操作 -Mozilla開發人員網絡

問題詳細信息：后果 (Issue Details: The Fallout)

IndexedDB can be accessed in private browsing mode via Web Workers. Not only that, but when the browser is closed, the IndexedDB data is not cleared. This stored data will persist across multiple private browsing sessions because it is not cleared when exiting. ?

可以通過Web Workers在私有瀏覽模式下訪問IndexedDB。 不僅如此，而且在關閉瀏覽器時，不會清除IndexedDB數據。 此存儲的數據將在多個私有瀏覽會話中保留，因為退出時不會清除它。 ？

So let’s look at a few ways this issue could be abused.

因此，讓我們看一下可以濫用此問題的幾種方法。

網站 (Websites)

A malicious website can leverage IndexedDB and track users across private browsing sessions. For example, say you visited badsite.com, which uses Web Workers and IndexedDB in private browsing mode. Close the private browsing window, close Firefox, start Firefox again, start private browsing mode, and again visit badsite.com. The website will be able to access the data from your previous private browsing session, as the data is still stored in IndexedDB.

惡意網站可能利用IndexedDB并在私人瀏覽會話中跟蹤用戶。 例如，假設您訪問了badsite.com，該網站在私有瀏覽模式下使用Web Workers和IndexedDB。 關閉私有瀏覽窗口，關閉Firefox，再次啟動Firefox，啟動私有瀏覽模式，然后再次訪問badsite.com。 由于該數據仍存儲在IndexedDB中，因此該網站將能夠訪問您之前的私人瀏覽會話中的數據。

第三方 (Third-parties)

Let’s assume siteA.com loads an analytics script from BadAnalyticsSite.com. Then another website, siteB.com, also loads an analytics script from the same website BadAnalyticsSite.com. Since the malicious website BadAnalyticsSite.com uses Web Workers and IndexedDB, the website BadAnalyticsSite.com can now track users of websites siteA.com and siteB.com across all their private browsing sessions.

假設siteA.com從BadAnalyticsSite.com加載了分析腳本。 然后，另一個網站siteB.com也從同一網站BadAnalyticsSite.com加載了分析腳本。 由于惡意網站BadAnalyticsSite.com使用Web Workers和IndexedDB，因此BadAnalyticsSite.com網站現在可以在所有私人瀏覽會話中跟蹤網站siteA.com和siteB.com的用戶。

磁盤泄漏 (Disk leaks)

IndexedDB adheres to a same-origin policy, which means that every database has a name that identifies it within an origin. Because domain name is used as part of the file name, this can result in serious issues when used in private mode.

IndexedDB遵循同源策略 ，這意味著每個數據庫都有一個在源內標識該數據庫的名稱。 由于域名用作文件名的一部分，因此在專用模式下使用時可能會導致嚴重的問題。

For example, if a user visits a test webpage (demo) which uses Web Workers + IndexedDB hosted on cdn.cliqz.com, and loads a resource from konarkmodi.github.io, the following two entries are created on disk.

例如，如果用戶訪問使用cdn.cliqz.com托管的Web Workers + IndexedDB的測試網頁 (demo)，并從konarkmodi.github.io加載資源， konarkmodi.github.io在磁盤上創建以下兩個條目。

Because of the above flaw, a website/tracker could effectively generate a fingerprint and save it. Even if a user were to clear the website history or select the option “forget about this site,” the IndexDB storage is not removed. This can create a permanent storage for a website or a tracker that can be leveraged forever.

由于上述缺陷，網站/跟蹤器可以有效地生成指紋并將其保存。 即使用戶要清除網站歷史記錄或選擇“忘記該網站”選項，也不會刪除IndexDB存儲。 這可以為可以永久利用的網站或跟蹤器創建永久存儲。

報告和修復 (Report and Fixes)

Mozilla encourages security research for their products. In their own words:

Mozilla鼓勵對其產品進行安全性研究。 用他們自己的話說：

The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.

Mozilla客戶端安全漏洞賞金計劃旨在鼓勵Mozilla軟件進行安全性研究，并獎勵那些幫助我們創建現有最安全的Internet軟件的人。

I reported this issue in October 2017 via their Bug Bounty Program, and the issue was fixed in November 2017. They were prompt to identify and fix the issues.

我于2017年10月通過其Bug賞金計劃 ( Bug Bounty Program)報告了此問題，并于2017年11月修復了該問題。他們會Swift發現并修復問題。

For more details, you can read the complete bug report at Mozilla’s Bugzilla.

有關更多詳細信息，您可以在Mozilla的Bugzilla上閱讀完整的錯誤報告。

I really appreciate Mozilla’s efforts and actions in fixing issues with the highest priority when it comes to the privacy of its users.

我真的很感謝Mozilla在解決用戶隱私方面的工作和行動，將其放在了最高優先級。

Happy Hacking!

快樂黑客！

You can follow me on Twitter at Konark Modi

您可以在Konark Modi的 Twitter上關注我

Thanks for reading and sharing ! :)

感謝您的閱讀和分享！ :)

If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).

如果您喜歡這個故事，請隨時??? 幾次(最多50次。嚴重)。

Credits: Special thanks to Remi and Pallavi for reviewing this post :)

鳴謝：特別感謝Remi和Pallavi審閱了這篇文章：)

翻譯自: https://www.freecodecamp.org/news/breaking-bad-to-make-good-firefox-cve-2017-7843-219034357496/

nginx mozilla