Opened 13 months ago

Last modified 11 months ago

#27904 new defect

Tor Browser for Android does not protect master password screen with FLAG_SECURE

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: sysrqb, igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This issue got reported to us by nightwatch-cybersecurity at our HackerOne bug bounty program and subsequently filed at Mozilla's bug tracker (https://bugzilla.mozilla.org/show_bug.cgi?id=1491627).

Child Tickets

Change History (2)

comment:1 Changed 13 months ago by sysrqb

Keywords: tba-a3 added

Hrm. Interesting. We need to enforce setting FLAG_SECURE within more parts of the app. We enable it in the browser context (https://gitweb.torproject.org/tor-browser.git/tree/mobile/android/base/java/org/mozilla/gecko/GeckoApp.java?h=tor-browser-60.2.1esr-8.5-1#n1077) but we don't set it anywhere else (such as when we switch to the preferences menu). We should enable this for every Activity.

Ideally, I'd like a pref where the user can toggle it (similar to Signal) - upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1314776

comment:2 Changed 11 months ago by gk

Keywords: tba-a3 removed
Note: See TracTickets for help on using tickets.