
Firefox takes screenshots of your HTTPS data - Mozilla says thats ok - laurencei
https://bugzilla.mozilla.org/show_bug.cgi?id=755996
======
laurencei
OP here. I noticed that Firefox took a screenshot of my google 2-factor
authentication barcode.

This barcode was stored on my hard drive unencrypted as a simple image. Whilst
the image quality is 'poor' - it _is_ good enough for my iPhone 5 to 'read'
the barcode and get the token!

I bug reported it to Mozilla - but they dont seem to think its much of an
issue.

you can see my specific comment + screenshot here:
<https://bugzilla.mozilla.org/show_bug.cgi?id=755996#c13>

p.s. the barcode image is for a throw-a-away account I made to show the issue
- obviously its not my real account :)

~~~
nephyrin
> This barcode was stored on my hard drive unencrypted as a simple image

You mean like the HTTP cache?

Maybe I'm reading this bug wrong, but it appears to be a verified bug with
csec-disclosure and sec-low security ratings. Not finding this to be as
critical as you is hardly "saying its okay" (it's not)

~~~
laurencei
Yes - except this is HTTPS cache - and takes screenshots of your HTTPS data.

Its silly because they turned off viewing the HTTPS websites on the 'newtabs'
and replaced it with grey screens - yet they _still_ take the screenshot.

The sec-low status was given because they mention the low res screenshots are
not enough to get anything useful - but I've just proven that not true.

Besides - how many people do you think would know/expect their HTTPS
screenshots to be captured and stored on the drive? Accessed a bank site
lately, visited a secure Government website etc etc

~~~
nephyrin
> Yes - except this is HTTPS cache - and takes screenshots of your HTTPS data.

HTTPS is also cached by every major browser, meaning the image in question
would be in your cache just as well as the screenshot containing it.

> Its silly because they turned off viewing the HTTPS websites on the
> 'newtabs' and replaced it with grey screens - yet they still take the
> screenshot.

If this is true you should file a bug for it. Bug 754608 / Bug 627239 / Bug
822867 suggests that this is not the case, and that capturing them was
disabled entirely. In fact, those three bugs suggest that this bug is only
open because a better replacement for grey-squares is needed?

> The sec-low status was given because they mention the low res screenshots
> are not enough to get anything useful - but I've just proven that not true.

This does not seem to match what I see on the thread. The bug was filed by a
mozilla developer and the consensus seems to be that it is definitely an
issue:

c0 - Mozillian files the bug

c4 - Mozillian mentioning they think screenshots of any size could be
sensitive -- the opposite of "not enough to get anything useful" -- but also
that it's not something that can be reasonably fixed.

c5 - Mozillian acknowledging its a problem and suggesting its difficult to
properly fix

c8 - Mozillian noting this is an even bigger issue on OS X

c9 - Mozillian noting that the whole concept might need rethinking

c11 - Mozilla security manager assigns security classification to bug

~~~
laurencei
> If this is true you should file a bug for it

I did bug report exactly this issue - and they closed it:
<https://bugzilla.mozilla.org/show_bug.cgi?id=838646>

~~~
nephyrin
They marked it as a duplicate of the given bug, and a mozilla security manager
politely explained why:

> The "documentation"(?) was maybe an announcement about the changes in bug
> 754608, which made the thumbnails follow the caching rules for https. Https
> pages can indeed be cached depending on whether or not they're marked "no-
> store". bug 755996 (and you, in this bug) says that's not good enough which
> may be true, but is already covered in bug 755996.

... Which seems to be a fair explanation of the situation. HTTPS pages that
_are cached_ can still cache their thumbnails. I'm still not seeing the
outrage-worthy malfeasance here.

------
olegp
How many of you actually use the browsers' new tab page thumbnail links as
intended? I recently built <https://starthq.com> as a new tab replacement
service, but very few of the users seem to use it as such.

------
aroberge
Interesting to see how this item has quickly disappeared from the front page
of HN, having more points attributed to it than others (on different topics)
that are higher up and were submitted much earlier.

~~~
Dylan16807
If <http://news.ycombinator.com/item?id=5182057> is right and it only has
thumbnails of pages that are _in the cache_ then the post deserves to be
flagged and die.

