Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TST information disclosure vulnerability #2288

Closed
nollinvoyd opened this issue May 24, 2019 · 7 comments
Closed

TST information disclosure vulnerability #2288

nollinvoyd opened this issue May 24, 2019 · 7 comments
Labels

Comments

@nollinvoyd
Copy link

Tree Style Tab 3.0.13, Windows 10 Pro, Firefox 67

Ive updated TST and multiple Tab Handler.

I'd appreciate a more complete explanation of what we might or should be concerned about. You message on the addon page about the issue was confusing.

@piroor
Copy link
Owner

piroor commented May 24, 2019

Summary

Both old TST (3.0.13 and older) and MTH (3.0.6 and older) violated the security model of WebExtensions API. They unintentionally disclosed some sensitive tab data to other addons via their API even if the caller don't have permissions.

If you installed any "attacker" addon, they could read such data and used them with their own permissions. Currently there is no information about existence of such "attacker" addons yet.

Range of possibly leaked data

Both those addons provides API for other addons to collaborate. On their APIs tabs.Tab objects may be returned for requests or notified with events. In principle only safe data are disclosed via WebExtensions API, and addons require special permissions to access some sensitive data. Here is the list of such information, and they are the list of possibly leaked data to "attacker" addons:

  • title, url, and favIconUrl of tabs.Tab objects (in principle tabs or activeTab permission is required) (at TST 3.0.11 and older)
    • Especially, some web services may put session IDs or privacy data in the URL.
  • effectiveFavIconUrl added by Tree Style Tab (at TST 3.0.12-3.0.13)
  • cookieStoreId of tabs.Tab objects (in principle cookies permission is required) (at TST 3.0.11 and older)
    • It looks not critical, but a fact that you are using the "container" feature was disclosed.
  • tabs.Tab objects from private windows (you need to allow to access them for each addon on Firefox 67 and later) (at TST 3.0.11 and older)

Firefox sometimes shows security alert, for example a list of required permissions when an addon is going to be installed, and a confirmation at the first time when a tab is hidden by an addon.

On the other hand, TST and MTH didn't implement such alerts, so those information might be leaked to "attacker" addons silently.

Why the incident happened

I wrote a blog post looking at reasons why the vulnerability was introduced.

Status of provision

Please update to TST 3.0.14 and MTH 3.0.7 (and newer versions). They don't disclose them silently in API responses anymore.

@piroor
Copy link
Owner

piroor commented May 24, 2019

概要

古いバージョンのTST(3.0.13以前)およびMTH(3.0.6以前)で、WebExtensions APIのセキュリティモデルに反した動作がありました。これらのバージョンでは、他のアドオン向けのAPIを通じて、本来であればそれらを取得する権限が無いはずのアドオンに対して、個人情報に関わりうるタブの情報が露出していました。

もし「攻撃者」となるアドオンをインストールしていた場合、それらのデータが読み出され、そのアドオンの権限で使用されていた可能性があります。現在の所、そのような「攻撃者」にあたるアドオンの存在は確認されていません。

漏洩した可能性があるデータの範囲

これらのアドオンは他のアドオンとの連携のためのAPIを提供しており、API上ではリクエストに対する応答やイベントに対する通知などを通じてtabs.Tabオブジェクトが返却されます。原則として、WebExtensions APIでは安全な情報のみが露出されており、個人情報に関わりうる情報にアクセスするためには特別な権限が必要となります。以下はそのような情報の一覧であり、今回「攻撃者」のアドオンに対して漏洩した可能性がある情報の一覧です:

  • tabs.Tabオブジェクトのtitle, url, favIconUrl (本来であれば、取得には tabs または activeTab の権限が必要です)(TST 3.0.11およびそれ以前)
    • URLの中にセッションIDやその他のプライバシー情報を含めているWebサービスがあり得ます。
  • TSTによって追加されたeffectiveFavIconUrl(TST 3.0.12~3.0.13)
  • tabs.TabオブジェクトのcookieStoreId(本来であれば、取得には cookies の権限が必要です)(TST 3.0.11およびそれ以前)
    • それ自体は致命的な情報ではありませんが、Firefoxで「コンテナー」を使用しているという事実を検知できます。
  • プライベートウィンドウ由来のtabs.Tabオブジェクト(Firefox 67以降のバージョンでは、本来であればユーザー自身が明示的に許可したアドオンのみが取得できる情報です)(TST 3.0.11およびそれ以前)

Firefox自身はアドオンに関してセキュリティの警告を表示する場合があります。具体的には、インストール時に要求されている権限の一覧を表示したり、タブが初めて非表示に切り替えられようとしたりした場合などに警告と確認が行われます。

それに対し、TSTとMTHはそのような警告の仕組みを持っていなかったため、「攻撃者」のアドオンに対して全く無警告に情報が渡されていた可能性があります。

この事象が発生した原因

詳しい経緯の考察をブログに記載しています

対応の状況

TST 3.0.14およびMTH 3.0.7以降のバージョンに更新してください。これらのバージョンでは、前述の情報が無警告に他のアドオンに渡される事はありません。

@piroor piroor pinned this issue May 24, 2019
@nollinvoyd
Copy link
Author

nollinvoyd commented May 24, 2019

So this is a hypothetical based on the possible existence/creation of yet unknown "attacker" addons?

So this is a little over my head technically. When you say a tab is hidden, please explain. Is this the type of thing that is only relevant to private window security?

@piroor piroor changed the title Tree Style Tab data breach Tree Style Tab data disclosure May 24, 2019
@piroor
Copy link
Owner

piroor commented May 24, 2019

So this is a hypothetical based on the possible existence/creation of yet unknown "attacker" addons?

Yes. I have not received any report about such an attacker addon yet.

Is this the type of thing that is only relevant to private window security?

Not only on private windows.

  • Tabs in non-private (regular) windows
    • Expected (and current) behavior: only safe information is disclosed to other addons.
    • Actual behavior on old versions: full information was disclosed regardless the attacker addon had no tabs, activeTab, and cookies permission.
  • Tabs in private windows:
    • Expected (and current) behavior: tabs are completely inaccessible from other addons which is not allowed to access private windows. And, even if it is allowed, only safe information is disclosed to other addons.
    • Actual behavior on old versions: full information was disclosed regardless the attacker addon had no tabs, activeTab, and special permission for private windows.

@piroor
Copy link
Owner

piroor commented May 25, 2019

I think I need to research all existing known public WebExtensions addons registered on signed by Mozilla at least, to make actual damage on regular usecase clear. But I don't know how to do that...

@piroor piroor changed the title Tree Style Tab data disclosure TST information disclosure vulnerability May 28, 2019
@piroor piroor added the fixed label May 28, 2019
@irvinm
Copy link
Contributor

irvinm commented Jun 3, 2019

@nollinvoyd is this sufficient? If so, can you close this item?

@nollinvoyd
Copy link
Author

I see that you addressed the data disclosure problem issue in the latest version. I am not qualified to analyze the changes, but if you are satisfied with the current state of TST, so am I. Thanks

@piroor piroor unpinned this issue Nov 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants