about:telemetry Design Security Review

Overview

about:telemetry lists all of the telemetry data that is uploaded to the server. This includes ping metadata, probes and their descriptions.

Architecture

This feature is entirely self contained within Firefox. It shows information uploaded to the server but does not directly interact it.

It does not use any 3rd party components.

Data Flow Enumeration

Telemetry data is uploaded from the browser to a Mozilla service, but thats outside of the scope of this development.

This development just displays information about the data that has been uploaded and allows the user opt in and out of telemetry data collection.

Threat Analysis

This is a small well constrained development which has a very small attack surface area.

It does not accept any text which could be used be used for XSS attack vectors.

Links

• http://blog.mozilla.org/tglek/2011/05/13/firefox-telemetry/
• https://bugzilla.mozilla.org/show_bug.cgi?id=769055 - sec review
• https://bugzilla.mozilla.org/show_bug.cgi?id=661881 - dev
• https://addons.mozilla.org/en-US/firefox/addon/abouttelemetry/ - original add-on