Security/Reviews/Firefox/PushToDevice
From MozillaWiki
Items to be reviewed: Sync Push to Device: https://wiki.mozilla.org/Services/Sync/Push_to_device Agenda:
Introduce Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- also known as send tab to device
- runs on top of sync
- can send a uri with associated tab state from one of your synced devices to another one
- form data, session cookies, & location in page (scroll position)
- session cookies for the given tab host URI
- form data, session cookies, & location in page (scroll position)
- tab sent to specific device, when target device connects it pulls down the sent information
- data lives on sync server
- data is deleted on db outage or after TTL
- potentially deleted after target device pulls down the record
- data lives on sync server
What solutions/approaches were considered other than the proposed solution?
- full sync, but it does not take all the data points that this feature wants to push
Why was this solution chosen?
- desire to send a given tab/page to a mobile device without the need for a full sync
Any security threats already considered in the design and why?
- there is a leakage of timing data associated with this feature, thus they (the site) can determine the device being used
- this is not known if it is possible for sure, but it could be possible
- Can see what devices are active in syncing, but not the data in particular > on sync server
- this is more specific as it is a particular device
Threat Brainstorming
- is the data pushed automatically or does the user accept
- right now it's automatic
- this could result in stolen device having access to the site < threat exists in current sync model
- an attacker may push their session to victim device if a device is lost
- interaction with private browsing
- push tab from session in private browsing to device not in private browsing?
- has not been addressed
- suggest disabling feature in private browsing (copy behavior of full sync)
- "The observer handler takes care of creating the new tab from the decoded record data. Currently, this is implemented as a function call into Sync." - is this a new or existing function in Sync that decodes the record data ?
- a new function - implemented in JS - in Fennec, this will almost certainly be in Java
- as the larger set of data is sent (session cookies) a site could fingerprint the devices a user is utilizing
Conclusions / Action Items
- Disable feature in Private Browsing mode
- Add pref to disable upload of session cookies