Opened 12 months ago

Last modified 5 months ago

#32287 needs_information defect

bookmark save a screenshoot for bookmarked page?

Reported by: rexkzhfbhgyc Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-9.0-issues
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I think this is a dangerous thing because it expose my page screenshot as exactly what I seen.
TBB version:9.0 (based on Mozilla Firefox 68.2.0esr) (32-bit)
Platform:Linux

Child Tickets

Attachments (1)

bookmarking.png (26.0 KB) - added by Thorin 12 months ago.
I don't see this (temp? memeory only?) thumb being stored anywhere in the profile, although places-sqlite-wal grew massively after the fact

Download all attachments as: .zip

Change History (9)

comment:1 Changed 12 months ago by rexkzhfbhgyc

I'm can't post one screenshot for security reason.
I found out one similar(maybe same) question:https://support.mozilla.org/en-US/questions/1232360
But the solution just focus on hide such screenshot in UI rather than avoid leak such screenshot to disk(if any).

Changed 12 months ago by Thorin

Attachment: bookmarking.png added

I don't see this (temp? memeory only?) thumb being stored anywhere in the profile, although places-sqlite-wal grew massively after the fact

comment:2 Changed 12 months ago by gk

Keywords: tbb-9.0-issues added

We should figure out whether that's an actual issue in Tor Browser. Maybe the screenshot is just shown when the page is bookmarked?

comment:3 Changed 12 months ago by Thorin

Did a quick dig: the bookmarking confirmation/cancel panel with favicon+screenshot landed in FF62. Here's the screenshot ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1460248

comment:4 Changed 12 months ago by sysrqb

Status: newneeds_information

I'm not sure this is a bug (or that we should fix it). Bookmarks are already tagged with the date they were last modified. We can go down the rabbit-hole of scrubbing all timestamps associated with bookmarks and any other information that may indicate when the bookmark was created/updated - but that is a much larger issue.

comment:5 Changed 12 months ago by Thorin

I don't think the concern is metadata: it's the actual content of the thumbnail may reveal something unintentional (e.g your user name on the site: e.g if I bookmarked this page, it says "logged in as Thorin"). If the thumbnail in the confirmation/cancel dialog is memory only, then I think we're good.

comment:6 Changed 11 months ago by Thorin

Relevant ticket

I *think* these thumbnails are stored for use in Activity Stream, even if AS is disabled. Upstream are issues about PII being exposed (banking info, user names, passwords in plain text, and even a camera bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1310626#c6 )

comment:7 Changed 5 months ago by sysrqb

Keywords: tbb-9.5-issues added; tbb-9.0-issues removed

Batch move remaining tbb-9.0-issues -> 9.5-issues

comment:8 Changed 5 months ago by sysrqb

Keywords: tbb-9.0-issues added; tbb-9.5-issues removed
Note: See TracTickets for help on using tickets.