Opened 8 months ago
Last modified 3 days ago
#32287 needs_information defect
bookmark save a screenshoot for bookmarked page?
| Reported by: | rexkzhfbhgyc | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-9.0-issues |
| Cc: | Actual Points: | ||
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
I think this is a dangerous thing because it expose my page screenshot as exactly what I seen.
TBB version:9.0 (based on Mozilla Firefox 68.2.0esr) (32-bit)
Platform:Linux
Child Tickets
Attachments (1)
Change History (9)
comment:1 Changed 7 months ago by
Changed 7 months ago by
| Attachment: | bookmarking.png added |
|---|
I don't see this (temp? memeory only?) thumb being stored anywhere in the profile, although places-sqlite-wal grew massively after the fact
comment:2 Changed 7 months ago by
| Keywords: | tbb-9.0-issues added |
|---|
We should figure out whether that's an actual issue in Tor Browser. Maybe the screenshot is just shown when the page is bookmarked?
comment:3 Changed 7 months ago by
Did a quick dig: the bookmarking confirmation/cancel panel with favicon+screenshot landed in FF62. Here's the screenshot ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1460248
comment:4 Changed 7 months ago by
| Status: | new → needs_information |
|---|
I'm not sure this is a bug (or that we should fix it). Bookmarks are already tagged with the date they were last modified. We can go down the rabbit-hole of scrubbing all timestamps associated with bookmarks and any other information that may indicate when the bookmark was created/updated - but that is a much larger issue.
comment:5 Changed 7 months ago by
I don't think the concern is metadata: it's the actual content of the thumbnail may reveal something unintentional (e.g your user name on the site: e.g if I bookmarked this page, it says "logged in as Thorin"). If the thumbnail in the confirmation/cancel dialog is memory only, then I think we're good.
comment:6 Changed 6 months ago by
Relevant ticket
- https://bugzilla.mozilla.org/show_bug.cgi?id=755996 (scroll down to the end to get issues since Activity Stream)
I *think* these thumbnails are stored for use in Activity Stream, even if AS is disabled. Upstream are issues about PII being exposed (banking info, user names, passwords in plain text, and even a camera bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1310626#c6 )
comment:7 Changed 6 days ago by
| Keywords: | tbb-9.5-issues added; tbb-9.0-issues removed |
|---|
Batch move remaining tbb-9.0-issues -> 9.5-issues
comment:8 Changed 3 days ago by
| Keywords: | tbb-9.0-issues added; tbb-9.5-issues removed |
|---|
I'm can't post one screenshot for security reason.
I found out one similar(maybe same) question:https://support.mozilla.org/en-US/questions/1232360
But the solution just focus on hide such screenshot in UI rather than avoid leak such screenshot to disk(if any).