Opened 12 months ago
Last modified 5 months ago
#32287 needs_information defect
bookmark save a screenshoot for bookmarked page?
| Reported by: | rexkzhfbhgyc | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-9.0-issues |
| Cc: | Actual Points: | ||
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
I think this is a dangerous thing because it expose my page screenshot as exactly what I seen.
TBB version:9.0 (based on Mozilla Firefox 68.2.0esr) (32-bit)
Platform:Linux
Child Tickets
Attachments (1)
Change History (9)
comment:1 Changed 12 months ago by
Changed 12 months ago by
| Attachment: | bookmarking.png added |
|---|
I don't see this (temp? memeory only?) thumb being stored anywhere in the profile, although places-sqlite-wal grew massively after the fact
comment:2 Changed 12 months ago by
| Keywords: | tbb-9.0-issues added |
|---|
We should figure out whether that's an actual issue in Tor Browser. Maybe the screenshot is just shown when the page is bookmarked?
comment:3 Changed 12 months ago by
Did a quick dig: the bookmarking confirmation/cancel panel with favicon+screenshot landed in FF62. Here's the screenshot ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1460248
comment:4 Changed 12 months ago by
| Status: | new → needs_information |
|---|
I'm not sure this is a bug (or that we should fix it). Bookmarks are already tagged with the date they were last modified. We can go down the rabbit-hole of scrubbing all timestamps associated with bookmarks and any other information that may indicate when the bookmark was created/updated - but that is a much larger issue.
comment:5 Changed 12 months ago by
I don't think the concern is metadata: it's the actual content of the thumbnail may reveal something unintentional (e.g your user name on the site: e.g if I bookmarked this page, it says "logged in as Thorin"). If the thumbnail in the confirmation/cancel dialog is memory only, then I think we're good.
comment:6 Changed 11 months ago by
Relevant ticket
- https://bugzilla.mozilla.org/show_bug.cgi?id=755996 (scroll down to the end to get issues since Activity Stream)
I *think* these thumbnails are stored for use in Activity Stream, even if AS is disabled. Upstream are issues about PII being exposed (banking info, user names, passwords in plain text, and even a camera bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1310626#c6 )
comment:7 Changed 5 months ago by
| Keywords: | tbb-9.5-issues added; tbb-9.0-issues removed |
|---|
Batch move remaining tbb-9.0-issues -> 9.5-issues
comment:8 Changed 5 months ago by
| Keywords: | tbb-9.0-issues added; tbb-9.5-issues removed |
|---|
I'm can't post one screenshot for security reason.
I found out one similar(maybe same) question:https://support.mozilla.org/en-US/questions/1232360
But the solution just focus on hide such screenshot in UI rather than avoid leak such screenshot to disk(if any).