當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

nginx mozilla_我发现Mozilla的私人浏览模式存在重大缺陷。

發(fā)布時(shí)間：2023/11/29 编程问答 33 豆豆

生活随笔收集整理的這篇文章主要介紹了 nginx mozilla_我发现Mozilla的私人浏览模式存在重大缺陷。小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

nginx mozilla

by Konark Modi

通過Konark Modi

我發(fā)現(xiàn)Mozilla的私人瀏覽模式存在重大缺陷。 (I found a major flaw in Mozilla’s private browsing mode.)

If left unfixed this flaw could have wreaked havoc but Mozilla’s prompt fixes saved the day.

如果不加以解決，此缺陷可能會造成嚴(yán)重破壞，但Mozilla的及時(shí)修復(fù)可以節(jié)省大量時(shí)間。

In this article, I’ll discuss details of a bug I discovered with Mozilla Firefox private browsing mode that made it possible for private browsing sessions to be tracked.

在本文中，我將討論在Mozilla Firefox私有瀏覽模式下發(fā)現(xiàn)的一個(gè)錯(cuò)誤的詳細(xì)信息，該錯(cuò)誤使得可以跟蹤私有瀏覽會話。

Private Browsing is one of the most widely known and used features in modern browsers today. Browsers continually add many enhancements to private browsing to enhance the users’ privacy.

私人瀏覽是當(dāng)今現(xiàn)代瀏覽器中最廣泛使用的功能之一。瀏覽器不斷向私人瀏覽添加許多增強(qiáng)功能，以增強(qiáng)用戶的隱私。

The features offered might differ from one browser to another, but at the very least a user using private browsing has the two most basic requirements:

所提供的功能可能因一個(gè)瀏覽器而異，但是至少使用私有瀏覽的用戶具有兩個(gè)最基本的要求：

1. Websites visited in private cannot save any data

1.私下訪問的網(wǎng)站無法保存任何數(shù)據(jù)

2. Visited pages are not saved

2.訪問的頁面不保存

Well, I discovered that the Firefox browser Private browsing mode didn’t meet any of the above requirements.

好吧，我發(fā)現(xiàn)Firefox瀏覽器的“私有”瀏覽模式不滿足上述任何要求。

技術(shù)細(xì)節(jié) (Technical Details)

For a website to track a user across private browsing sessions, it needs to use some persistent storage at the browser level.

為了使網(wǎng)站在私人瀏覽會話中跟蹤用戶，它需要在瀏覽器級別使用一些持久性存儲。

There are multiple ways of storing data in a browser - LocalStorage, WebSQL and IndexedDB.

在瀏覽器中有多種存儲數(shù)據(jù)的方式-LocalStorage ， WebSQL和IndexedDB 。

I recently came across IndexedDB storage.

我最近遇到了IndexedDB存儲。

IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs - Mozilla Developer Network

IndexedDB是用于客戶端存儲大量結(jié)構(gòu)化數(shù)據(jù)(包括文件/ blob)的低級API - Mozilla開發(fā)人員網(wǎng)絡(luò)

Although, as per the documentation, IndexedDB should not be available in private browsing mode.

雖然，根據(jù)文檔，IndexedDB在私有瀏覽模式下不可用。

If you use IndexedDB directly on the webpage, it will throw an error:

如果直接在網(wǎng)頁上使用IndexedDB，它將引發(fā)錯(cuò)誤：

But what happens if you combine IndexedDB with Web Workers?

但是，如果將IndexedDB與Web Workers結(jié)合使用會發(fā)生什么？

Web Workers makes it possible to run a script operation in background thread separate from the main execution thread of a web application - Mozilla Developer Network

Web Workers使得可以在與 Web應(yīng)用程序的主執(zhí)行線程分開的后臺線程中運(yùn)行腳本操作 -Mozilla開發(fā)人員網(wǎng)絡(luò)

問題詳細(xì)信息：后果 (Issue Details: The Fallout)

IndexedDB can be accessed in private browsing mode via Web Workers. Not only that, but when the browser is closed, the IndexedDB data is not cleared. This stored data will persist across multiple private browsing sessions because it is not cleared when exiting. ?

可以通過Web Workers在私有瀏覽模式下訪問IndexedDB。不僅如此，而且在關(guān)閉瀏覽器時(shí)，不會清除IndexedDB數(shù)據(jù)。此存儲的數(shù)據(jù)將在多個(gè)私有瀏覽會話中保留，因?yàn)橥顺鰰r(shí)不會清除它。？

So let’s look at a few ways this issue could be abused.

因此，讓我們看一下可以濫用此問題的幾種方法。

網(wǎng)站 (Websites)

A malicious website can leverage IndexedDB and track users across private browsing sessions. For example, say you visited badsite.com, which uses Web Workers and IndexedDB in private browsing mode. Close the private browsing window, close Firefox, start Firefox again, start private browsing mode, and again visit badsite.com. The website will be able to access the data from your previous private browsing session, as the data is still stored in IndexedDB.

惡意網(wǎng)站可能利用IndexedDB并在私人瀏覽會話中跟蹤用戶。例如，假設(shè)您訪問了badsite.com，該網(wǎng)站在私有瀏覽模式下使用Web Workers和IndexedDB。關(guān)閉私有瀏覽窗口，關(guān)閉Firefox，再次啟動Firefox，啟動私有瀏覽模式，然后再次訪問badsite.com。由于該數(shù)據(jù)仍存儲在IndexedDB中，因此該網(wǎng)站將能夠訪問您之前的私人瀏覽會話中的數(shù)據(jù)。

第三方 (Third-parties)

Let’s assume siteA.com loads an analytics script from BadAnalyticsSite.com. Then another website, siteB.com, also loads an analytics script from the same website BadAnalyticsSite.com. Since the malicious website BadAnalyticsSite.com uses Web Workers and IndexedDB, the website BadAnalyticsSite.com can now track users of websites siteA.com and siteB.com across all their private browsing sessions.

假設(shè)siteA.com從BadAnalyticsSite.com加載了分析腳本。 然后，另一個(gè)網(wǎng)站siteB.com也從同一網(wǎng)站BadAnalyticsSite.com加載了分析腳本。由于惡意網(wǎng)站BadAnalyticsSite.com使用Web Workers和IndexedDB，因此BadAnalyticsSite.com網(wǎng)站現(xiàn)在可以在所有私人瀏覽會話中跟蹤網(wǎng)站siteA.com和siteB.com的用戶。

磁盤泄漏 (Disk leaks)

IndexedDB adheres to a same-origin policy, which means that every database has a name that identifies it within an origin. Because domain name is used as part of the file name, this can result in serious issues when used in private mode.

IndexedDB遵循同源策略，這意味著每個(gè)數(shù)據(jù)庫都有一個(gè)在源內(nèi)標(biāo)識該數(shù)據(jù)庫的名稱。由于域名用作文件名的一部分，因此在專用模式下使用時(shí)可能會導(dǎo)致嚴(yán)重的問題。

For example, if a user visits a test webpage (demo) which uses Web Workers + IndexedDB hosted on cdn.cliqz.com, and loads a resource from konarkmodi.github.io, the following two entries are created on disk.

例如，如果用戶訪問使用cdn.cliqz.com托管的Web Workers + IndexedDB的測試網(wǎng)頁 (demo)，并從konarkmodi.github.io加載資源， konarkmodi.github.io在磁盤上創(chuàng)建以下兩個(gè)條目。

Because of the above flaw, a website/tracker could effectively generate a fingerprint and save it. Even if a user were to clear the website history or select the option “forget about this site,” the IndexDB storage is not removed. This can create a permanent storage for a website or a tracker that can be leveraged forever.

由于上述缺陷，網(wǎng)站/跟蹤器可以有效地生成指紋并將其保存。即使用戶要清除網(wǎng)站歷史記錄或選擇“忘記該網(wǎng)站”選項(xiàng)，也不會刪除IndexDB存儲。這可以為可以永久利用的網(wǎng)站或跟蹤器創(chuàng)建永久存儲。

報(bào)告和修復(fù) (Report and Fixes)

Mozilla encourages security research for their products. In their own words:

Mozilla鼓勵(lì)對其產(chǎn)品進(jìn)行安全性研究。用他們自己的話說：

The Mozilla Client Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet software in existence.Mozilla客戶端安全漏洞賞金計(jì)劃旨在鼓勵(lì)Mozilla軟件進(jìn)行安全性研究，并獎(jiǎng)勵(lì)那些幫助我們創(chuàng)建現(xiàn)有最安全的Internet軟件的人。

I reported this issue in October 2017 via their Bug Bounty Program, and the issue was fixed in November 2017. They were prompt to identify and fix the issues.

我于2017年10月通過其Bug賞金計(jì)劃 ( Bug Bounty Program)報(bào)告了此問題，并于2017年11月修復(fù)了該問題。他們會Swift發(fā)現(xiàn)并修復(fù)問題。

For more details, you can read the complete bug report at Mozilla’s Bugzilla.

有關(guān)更多詳細(xì)信息，您可以在Mozilla的Bugzilla上閱讀完整的錯(cuò)誤報(bào)告。

I really appreciate Mozilla’s efforts and actions in fixing issues with the highest priority when it comes to the privacy of its users.

我真的很感謝Mozilla在解決用戶隱私方面的工作和行動，將其放在了最高優(yōu)先級。

Happy Hacking!

快樂黑客！

You can follow me on Twitter at Konark Modi

您可以在Konark Modi的 Twitter上關(guān)注我

Thanks for reading and sharing ! :)

感謝您的閱讀和分享！ :)

If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).

如果您喜歡這個(gè)故事，請隨時(shí)??? 幾次(最多50次。嚴(yán)重)。

Credits: Special thanks to Remi and Pallavi for reviewing this post :)

鳴謝：特別感謝Remi和Pallavi審閱了這篇文章：)

翻譯自: https://www.freecodecamp.org/news/breaking-bad-to-make-good-firefox-cve-2017-7843-219034357496/