Opened 7 weeks ago

Last modified 5 weeks ago

#32287 needs_information defect

bookmark save a screenshoot for bookmarked page?

Reported by: rexkzhfbhgyc Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-9.0-issues
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I think this is a dangerous thing because it expose my page screenshot as exactly what I seen.
TBB version:9.0 (based on Mozilla Firefox 68.2.0esr) (32-bit)
Platform:Linux

Child Tickets

Attachments (1)

bookmarking.png (26.0 KB) - added by Thorin 6 weeks ago.
I don't see this (temp? memeory only?) thumb being stored anywhere in the profile, although places-sqlite-wal grew massively after the fact

Download all attachments as: .zip

Change History (6)

comment:1 Changed 6 weeks ago by rexkzhfbhgyc

I'm can't post one screenshot for security reason.
I found out one similar(maybe same) question:https://support.mozilla.org/en-US/questions/1232360
But the solution just focus on hide such screenshot in UI rather than avoid leak such screenshot to disk(if any).

Changed 6 weeks ago by Thorin

Attachment: bookmarking.png added

I don't see this (temp? memeory only?) thumb being stored anywhere in the profile, although places-sqlite-wal grew massively after the fact

comment:2 Changed 6 weeks ago by gk

Keywords: tbb-9.0-issues added

We should figure out whether that's an actual issue in Tor Browser. Maybe the screenshot is just shown when the page is bookmarked?

comment:3 Changed 6 weeks ago by Thorin

Did a quick dig: the bookmarking confirmation/cancel panel with favicon+screenshot landed in FF62. Here's the screenshot ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1460248

comment:4 Changed 5 weeks ago by sysrqb

Status: newneeds_information

I'm not sure this is a bug (or that we should fix it). Bookmarks are already tagged with the date they were last modified. We can go down the rabbit-hole of scrubbing all timestamps associated with bookmarks and any other information that may indicate when the bookmark was created/updated - but that is a much larger issue.

comment:5 Changed 5 weeks ago by Thorin

I don't think the concern is metadata: it's the actual content of the thumbnail may reveal something unintentional (e.g your user name on the site: e.g if I bookmarked this page, it says "logged in as Thorin"). If the thumbnail in the confirmation/cancel dialog is memory only, then I think we're good.

Note: See TracTickets for help on using tickets.