本文共 6203 字,大约阅读时间需要 20 分钟。
nginx mozilla
by Konark Modi
通过Konark Modi
If left unfixed this flaw could have wreaked havoc but Mozilla’s prompt fixes saved the day.
如果不加以解决,此缺陷可能会造成严重破坏,但Mozilla的及时修复可以节省大量时间。
In this article, I’ll discuss details of a bug I discovered with Mozilla Firefox private browsing mode that made it possible for private browsing sessions to be tracked.
在本文中,我将讨论在Mozilla Firefox私有浏览模式下发现的一个错误的详细信息,该错误使得可以跟踪私有浏览会话。
is one of the most widely known and used features in modern browsers today. Browsers continually add enhancements to private browsing to enhance the users’ privacy.
是当今现代浏览器中最广泛使用的功能之一。 浏览器不断向私人浏览添加增强功能,以增强用户的隐私。
The features offered might differ from one browser to another, but at the very least a user using private browsing has the two most basic requirements:
所提供的功能可能因一个浏览器而异,但是至少使用私有浏览的用户具有两个最基本的要求:
1. Websites visited in private cannot save any data
1.私下访问的网站无法保存任何数据
2. Visited pages are not saved
2.访问的页面不保存
Well, I discovered that the Firefox browser Private browsing mode didn’t meet any of the above requirements.
好吧,我发现Firefox浏览器的“私有”浏览模式不满足上述任何要求。
For a website to track a user across private browsing sessions, it needs to use some persistent storage at the browser level.
为了使网站在私人浏览会话中跟踪用户,它需要在浏览器级别使用一些持久性存储。
There are multiple ways of storing data in a browser - , and .
在浏览器中有多种存储数据的方式 , 和 。
I recently came across IndexedDB storage.
我最近遇到了IndexedDB存储。
IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs - Mozilla Developer Network
IndexedDB是用于客户端存储大量结构化数据(包括文件/ blob)的低级API - Mozilla开发人员网络
Although, as per the documentation, IndexedDB should not be available in private browsing mode.
虽然,根据文档,IndexedDB在私有浏览模式下不可用。
If you use IndexedDB directly on the webpage, it will throw an error:
如果直接在网页上使用IndexedDB,它将引发错误:
But what happens if you combine IndexedDB with ?
但是,如果将IndexedDB与结合使用会发生什么?
Web Workers makes it possible to run a script operation in background thread separate from the main execution thread of a web application - Mozilla Developer Network
Web Workers使得可以在与 Web应用程序的主执行线程分开的后台线程中运行脚本操作 -Mozilla开发人员网络
IndexedDB can be accessed in private browsing mode via Web Workers. Not only that, but when the browser is closed, the IndexedDB data is not cleared. This stored data will persist across multiple private browsing sessions because it is not cleared when exiting. ?
可以通过Web Workers在私有浏览模式下访问IndexedDB。 不仅如此,而且在关闭浏览器时,不会清除IndexedDB数据。 此存储的数据将在多个私有浏览会话中保留,因为退出时不会清除它。 ?
So let’s look at a few ways this issue could be abused.
因此,让我们看一下可以滥用此问题的几种方法。
A malicious website can leverage IndexedDB and track users across private browsing sessions. For example, say you visited badsite.com, which uses Web Workers and IndexedDB in private browsing mode. Close the private browsing window, close Firefox, start Firefox again, start private browsing mode, and again visit badsite.com. The website will be able to access the data from your previous private browsing session, as the data is still stored in IndexedDB.
恶意网站可能利用IndexedDB并在私人浏览会话中跟踪用户。 例如,假设您访问了badsite.com,该网站在私有浏览模式下使用Web Workers和IndexedDB。 关闭私有浏览窗口,关闭Firefox,再次启动Firefox,启动私有浏览模式,然后再次访问badsite.com。 由于该数据仍存储在IndexedDB中,因此该网站将能够访问您之前的私人浏览会话中的数据。
Let’s assume siteA.com loads an analytics script from BadAnalyticsSite.com. Then another website, siteB.com, also loads an analytics script from the same website BadAnalyticsSite.com. Since the malicious website BadAnalyticsSite.com uses Web Workers and IndexedDB, the website BadAnalyticsSite.com can now track users of websites siteA.com and siteB.com across all their private browsing sessions.
假设siteA.com从BadAnalyticsSite.com加载了分析脚本。 然后,另一个网站siteB.com也从同一网站BadAnalyticsSite.com加载了分析脚本。 由于恶意网站BadAnalyticsSite.com使用Web Workers和IndexedDB,因此BadAnalyticsSite.com网站现在可以在所有私人浏览会话中跟踪网站siteA.com和siteB.com的用户。
, which means that every database has a name that identifies it within an origin. Because domain name is used as part of the file name, this can result in serious issues when used in private mode.
,这意味着每个数据库都有一个在源内标识该数据库的名称。 由于域名用作文件名的一部分,因此在专用模式下使用时可能会导致严重的问题。
For example, if a user visits a (demo) which uses Web Workers + IndexedDB hosted on cdn.cliqz.com, and loads a resource from konarkmodi.github.io, the following two entries are created on disk.
例如,如果用户访问使用cdn.cliqz.com托管的Web Workers + IndexedDB的 (demo),并从konarkmodi.github.io加载资源, konarkmodi.github.io在磁盘上创建以下两个条目。
Because of the above flaw, a website/tracker could effectively generate a fingerprint and save it. Even if a user were to clear the website history or select the option “forget about this site,” the IndexDB storage is not removed. This can create a permanent storage for a website or a tracker that can be leveraged forever.
由于上述缺陷,网站/跟踪器可以有效地生成指纹并将其保存。 即使用户要清除网站历史记录或选择“忘记该网站”选项,也不会删除IndexDB存储。 这可以为可以永久利用的网站或跟踪器创建永久存储。
Mozilla encourages security research for their products. In their own words:
Mozilla鼓励对其产品进行安全性研究。 用他们自己的话说:
The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.
Mozilla客户端安全漏洞赏金计划旨在鼓励Mozilla软件进行安全性研究,并奖励那些帮助我们创建现有最安全的Internet软件的人。
I reported this issue in October 2017 via their , and the issue was fixed in November 2017. They were prompt to identify and fix the issues.
我于2017年10月通过其 ( 报告了此问题,并于2017年11月修复了该问题。他们会Swift发现并修复问题。
For more details, you can read the complete bug report at .
有关更多详细信息,您可以在阅读完整的错误报告。
I really appreciate Mozilla’s efforts and actions in fixing issues with the highest priority when it comes to the privacy of its users.
我真的很感谢Mozilla在解决用户隐私方面的工作和行动,将其放在了最高优先级。
Happy Hacking!
快乐黑客!
You can follow me on Twitter at
您可以在 Twitter上关注我
Thanks for reading and sharing ! :)
感谢您的阅读和分享! :)
If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).
如果您喜欢这个故事,请随时??? 几次(最多50次。严重)。
Credits: Special thanks to and for reviewing this post :)
鸣谢:特别感谢和审阅了这篇文章:)
翻译自:
nginx mozilla
转载地址:http://bdgwd.baihongyu.com/