Security/Reviews/Firefox/PushToDevice

From MozillaWiki
Jump to: navigation, search

Items to be reviewed: Sync Push to Device: https://wiki.mozilla.org/Services/Sync/Push_to_device Agenda:

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • also known as send tab to device
    • runs on top of sync
  • can send a uri with associated tab state from one of your synced devices to another one
    • form data, session cookies, & location in page (scroll position)
      • session cookies for the given tab host URI
  • tab sent to specific device, when target device connects it pulls down the sent information
    • data lives on sync server
      • data is deleted on db outage or after TTL
      • potentially deleted after target device pulls down the record

What solutions/approaches were considered other than the proposed solution?

  • full sync, but it does not take all the data points that this feature wants to push

Why was this solution chosen?

  • desire to send a given tab/page to a mobile device without the need for a full sync

Any security threats already considered in the design and why?

  • there is a leakage of timing data associated with this feature, thus they (the site) can determine the device being used
    • this is not known if it is possible for sure, but it could be possible
  • Can see what devices are active in syncing, but not the data in particular > on sync server
    • this is more specific as it is a particular device

Threat Brainstorming

  • is the data pushed automatically or does the user accept
    • right now it's automatic
    • this could result in stolen device having access to the site < threat exists in current sync model
      • an attacker may push their session to victim device if a device is lost
  • interaction with private browsing
    • push tab from session in private browsing to device not in private browsing?
    • has not been addressed
    • suggest disabling feature in private browsing (copy behavior of full sync)
  • "The observer handler takes care of creating the new tab from the decoded record data. Currently, this is implemented as a function call into Sync." - is this a new or existing function in Sync that decodes the record data ?
    • a new function - implemented in JS - in Fennec, this will almost certainly be in Java
  • as the larger set of data is sent (session cookies) a site could fingerprint the devices a user is utilizing

Conclusions / Action Items

  • Disable feature in Private Browsing mode
  • Add pref to disable upload of session cookies