If left unfixed this flaw could have wreaked havoc but Mozilla’s prompt fixes saved the day. In this article, I’ll discuss details of a bug I discovered with Firefox private mode that made it possible for private browsing sessions to be tracked. Mozilla browsing is one of the most widely known and used features in modern browsers today. Browsers continually add enhancements to private browsing to enhance the users’ privacy. Private Browsing many The features offered might differ from one browser to another, but at the very least a user using private browsing has the two most basic requirements: 1. Websites visited in private cannot save any data 2. Visited pages are not saved Well, I discovered that the Firefox browser Private browsing mode didn’t meet any of the above requirements. For a website to track a user across private browsing sessions, it needs to use some persistent storage at the browser level. There are multiple ways of storing data in a browser — , and . LocalStorage WebSQL IndexedDB I recently came across IndexedDB storage. IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs — Mozilla Developer Network Although, as per the documentation, IndexedDB should not be available in private browsing mode. If you use IndexedDB directly on the webpage, it will throw an error: But what happens if you combine IndexedDB with ? Web Workers Web Workers makes it possible to run a script operation in background thread separate from the main execution thread of a web application — Mozilla Developer Network IndexedDB can be accessed in private browsing mode via Web Workers. Not only that, but when the browser is closed, the IndexedDB data is not cleared. This stored because it is not cleared when exiting. 😮 data will persist across multiple private browsing sessions So let’s look at a few ways this issue could be abused. A malicious website can leverage IndexedDB and track users across private browsing sessions. For example, say you visited which uses Web Workers and IndexedDB in private browsing mode. Close the private browsing window, close Firefox, start Firefox again, start private browsing mode, and again visit badsite.com. The website will be able to access the data from your previous private browsing session, as the data is still stored in IndexedDB. badsite.com, Let’s assume loads an analytics script from Then another website, , also loads an analytics script from the same website . Since the malicious website uses Web Workers and IndexedDB, the website can now track users of websites and across all their private browsing sessions. siteA.com BadAnalyticsSite.com. siteB.com BadAnalyticsSite.com BadAnalyticsSite.com BadAnalyticsSite.com siteA.com siteB.com , which means that every database has a name that identifies it within an origin. Because domain name is used as part of the file name, this can result in serious issues when used in private mode. IndexedDB adheres to a same-origin policy For example, if a user visits a (demo) which uses Web Workers + IndexedDB hosted on , and loads a resource from , the following two entries are created on disk. test webpage cdn.cliqz.com konarkmodi.github.io Location of IndexedDB: ` Poc web pages. profile/storage` lists Because of the above flaw, a website/tracker could effectively generate a fingerprint and save it. Even if a user were to clear the website history or select the option “forget about this site,” the IndexDB storage is not removed. This can create a permanent storage for a website or a tracker that can be leveraged forever. Mozilla encourages security research for their products. In their own words: The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence. I reported this issue in October 2017 via their , and the issue was fixed in November 2017. They were prompt to identify and fix the issues. Bug Bounty Program For more details, you can read the complete bug report at . Mozilla’s Bugzilla I really appreciate Mozilla’s efforts and actions in fixing issues with the highest priority when it comes to the privacy of its users. Happy Hacking! You can follow me on Twitter at Konark Modi Thanks for reading and sharing ! :) If you liked this story, feel free to 👏👏👏 a few times (Up to 50 times. Seriously). Credits: Special thanks to Remi and Pallavi for reviewing this post :) Originally published at medium.freecodecamp.org on April 22, 2018.
