nginx mozilla

by Konark Modi

通过Konark Modi

我发现Mozilla的私人浏览模式存在重大缺陷。 (I found a major flaw in Mozilla’s private browsing mode.)

If left unfixed this flaw could have wreaked havoc but Mozilla’s prompt fixes saved the day.

如果不加以解决，此缺陷可能会造成严重破坏，但Mozilla的及时修复可以节省大量时间。

In this article, I’ll discuss details of a bug I discovered with Mozilla Firefox private browsing mode that made it possible for private browsing sessions to be tracked.

在本文中，我将讨论在Mozilla Firefox私有浏览模式下发现的一个错误的详细信息，该错误使得可以跟踪私有浏览会话。

Private Browsing is one of the most widely known and used features in modern browsers today. Browsers continually add many enhancements to private browsing to enhance the users’ privacy.

私人浏览是当今现代浏览器中最广泛使用的功能之一。 浏览器不断向私人浏览添加许多增强功能，以增强用户的隐私。

The features offered might differ from one browser to another, but at the very least a user using private browsing has the two most basic requirements:

所提供的功能可能因一个浏览器而异，但是至少使用私有浏览的用户具有两个最基本的要求：

1. Websites visited in private cannot save any data

1.私下访问的网站无法保存任何数据

2. Visited pages are not saved

2.访问的页面不保存

Well, I discovered that the Firefox browser Private browsing mode didn’t meet any of the above requirements.

好吧，我发现Firefox浏览器的“私有”浏览模式不满足上述任何要求。

技术细节 (Technical Details)

For a website to track a user across private browsing sessions, it needs to use some persistent storage at the browser level.

为了使网站在私人浏览会话中跟踪用户，它需要在浏览器级别使用一些持久性存储。

There are multiple ways of storing data in a browser - LocalStorage, WebSQL and IndexedDB.

在浏览器中有多种存储数据的方式-LocalStorage ， WebSQL和IndexedDB 。

I recently came across IndexedDB storage.

我最近遇到了IndexedDB存储。

IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs - Mozilla Developer Network

IndexedDB是用于客户端存储大量结构化数据(包括文件/ blob)的低级API - Mozilla开发人员网络

Although, as per the documentation, IndexedDB should not be available in private browsing mode.

虽然，根据文档，IndexedDB在私有浏览模式下不可用。

If you use IndexedDB directly on the webpage, it will throw an error:

如果直接在网页上使用IndexedDB，它将引发错误：

But what happens if you combine IndexedDB with Web Workers?

但是，如果将IndexedDB与Web Workers结合使用会发生什么？

Web Workers makes it possible to run a script operation in background thread separate from the main execution thread of a web application - Mozilla Developer Network

Web Workers使得可以在与 Web应用程序的主执行线程分开的后台线程中运行脚本操作 -Mozilla开发人员网络

问题详细信息：后果 (Issue Details: The Fallout)

IndexedDB can be accessed in private browsing mode via Web Workers. Not only that, but when the browser is closed, the IndexedDB data is not cleared. This stored data will persist across multiple private browsing sessions because it is not cleared when exiting. ?

可以通过Web Workers在私有浏览模式下访问IndexedDB。 不仅如此，而且在关闭浏览器时，不会清除IndexedDB数据。 此存储的数据将在多个私有浏览会话中保留，因为退出时不会清除它。 ？

So let’s look at a few ways this issue could be abused.

因此，让我们看一下可以滥用此问题的几种方法。

网站 (Websites)

A malicious website can leverage IndexedDB and track users across private browsing sessions. For example, say you visited badsite.com, which uses Web Workers and IndexedDB in private browsing mode. Close the private browsing window, close Firefox, start Firefox again, start private browsing mode, and again visit badsite.com. The website will be able to access the data from your previous private browsing session, as the data is still stored in IndexedDB.

恶意网站可能利用IndexedDB并在私人浏览会话中跟踪用户。 例如，假设您访问了badsite.com，该网站在私有浏览模式下使用Web Workers和IndexedDB。 关闭私有浏览窗口，关闭Firefox，再次启动Firefox，启动私有浏览模式，然后再次访问badsite.com。 由于该数据仍存储在IndexedDB中，因此该网站将能够访问您之前的私人浏览会话中的数据。

第三方 (Third-parties)

Let’s assume siteA.com loads an analytics script from BadAnalyticsSite.com. Then another website, siteB.com, also loads an analytics script from the same website BadAnalyticsSite.com. Since the malicious website BadAnalyticsSite.com uses Web Workers and IndexedDB, the website BadAnalyticsSite.com can now track users of websites siteA.com and siteB.com across all their private browsing sessions.

假设siteA.com从BadAnalyticsSite.com加载了分析脚本。 然后，另一个网站siteB.com也从同一网站BadAnalyticsSite.com加载了分析脚本。 由于恶意网站BadAnalyticsSite.com使用Web Workers和IndexedDB，因此BadAnalyticsSite.com网站现在可以在所有私人浏览会话中跟踪网站siteA.com和siteB.com的用户。

磁盘泄漏 (Disk leaks)

IndexedDB adheres to a same-origin policy, which means that every database has a name that identifies it within an origin. Because domain name is used as part of the file name, this can result in serious issues when used in private mode.

IndexedDB遵循同源策略 ，这意味着每个数据库都有一个在源内标识该数据库的名称。 由于域名用作文件名的一部分，因此在专用模式下使用时可能会导致严重的问题。

For example, if a user visits a test webpage (demo) which uses Web Workers + IndexedDB hosted on cdn.cliqz.com, and loads a resource from konarkmodi.github.io, the following two entries are created on disk.

例如，如果用户访问使用cdn.cliqz.com托管的Web Workers + IndexedDB的测试网页 (demo)，并从konarkmodi.github.io加载资源， konarkmodi.github.io在磁盘上创建以下两个条目。

Because of the above flaw, a website/tracker could effectively generate a fingerprint and save it. Even if a user were to clear the website history or select the option “forget about this site,” the IndexDB storage is not removed. This can create a permanent storage for a website or a tracker that can be leveraged forever.

由于上述缺陷，网站/跟踪器可以有效地生成指纹并将其保存。 即使用户要清除网站历史记录或选择“忘记该网站”选项，也不会删除IndexDB存储。 这可以为可以永久利用的网站或跟踪器创建永久存储。

报告和修复 (Report and Fixes)

Mozilla encourages security research for their products. In their own words:

Mozilla鼓励对其产品进行安全性研究。 用他们自己的话说：

The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.

Mozilla客户端安全漏洞赏金计划旨在鼓励Mozilla软件进行安全性研究，并奖励那些帮助我们创建现有最安全的Internet软件的人。

I reported this issue in October 2017 via their Bug Bounty Program, and the issue was fixed in November 2017. They were prompt to identify and fix the issues.

我于2017年10月通过其Bug赏金计划 ( Bug Bounty Program)报告了此问题，并于2017年11月修复了该问题。他们会Swift发现并修复问题。

For more details, you can read the complete bug report at Mozilla’s Bugzilla.

有关更多详细信息，您可以在Mozilla的Bugzilla上阅读完整的错误报告。

I really appreciate Mozilla’s efforts and actions in fixing issues with the highest priority when it comes to the privacy of its users.

我真的很感谢Mozilla在解决用户隐私方面的工作和行动，将其放在了最高优先级。

Happy Hacking!

快乐黑客！

You can follow me on Twitter at Konark Modi

您可以在Konark Modi的 Twitter上关注我

Thanks for reading and sharing ! :)

感谢您的阅读和分享！ :)

If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).

如果您喜欢这个故事，请随时??? 几次(最多50次。严重)。

Credits: Special thanks to Remi and Pallavi for reviewing this post :)

鸣谢：特别感谢Remi和Pallavi审阅了这篇文章：)

翻译自: https://www.freecodecamp.org/news/breaking-bad-to-make-good-firefox-cve-2017-7843-219034357496/

nginx mozilla