New issue
Advanced search Search tips

Issue 708447 link

Starred by 2 users
Status: Fixed
Owner:
mastiz@chromium.org
Closed: Sep 2017
Cc:
sky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: ----


Show other hotlists

Hotlists containing this issue:
Hotlist-Privacy


Sign in to add a comment

Visiting bookmarked pages in incognito leaves a trace in favicon cache

Project Member Reported by mastiz@chromium.org, Apr 5 2017 
PRIVACY ISSUE
Visiting bookmarked pages in incognito leaves a trace in favicon cache

Related old bug: https://bugs.chromium.org/p/chromium/issues/detail?id=22670

VERSION:
Chrome Version: 10+ (stable)
Operating System: all

REPRODUCTION STEPS
1. Clear browsing history.
2. Visit a page like www.google.com.
3. Bookmark the page (might need to be fast, before the page has finished loading).
4. Open bookmarks UI (favicon is missing).
5. Open incognito tab.
6. Visit the bookmark.
7. Close incognito tab.
8. Open bookmarks UI.

Expected: favicon is missing (i.e. the incognito visit left no trace).
Actual: favicon is available (i.e. non-gray nice icon displayed).

Steps 1..4 and 8 could be exploited intentionally by a user that shares a device with another user, to know if the latter visits a certain page in incognito.

NOTE: besides the privacy aspect of this, let me mention that changing the logic to *not* update the favicon cache could cause a regression for users that regularly visit bookmarked pages in incognito, since the icon itself would never be updated.

Comment 1 by mastiz@chromium.org, Apr 5 2017

Cc: sky@chromium.org
Project Member

Comment 2 by bugdroid1@chromium.org, Apr 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d65c1d7370f67352f3fc7052d71b5ddfe88a18f1

commit d65c1d7370f67352f3fc7052d71b5ddfe88a18f1
Author: mastiz <mastiz@chromium.org>
Date: Fri Apr 07 07:19:01 2017

Add FaviconHandler test reflecting behavior of bookmarks in incognito

It's not clear whether this is the desired behavior, but let's at least
document it in the form of tests.

BUG= 708447 

Review-Url: https://codereview.chromium.org/2804573002
Cr-Commit-Position: refs/heads/master@{#462801}

[modify] https://crrev.com/d65c1d7370f67352f3fc7052d71b5ddfe88a18f1/components/favicon/core/favicon_handler_unittest.cc

Comment 3 by battre@chromium.org, Apr 7 2017 

I think that the current behavior is not in line with the incognito definition and should be changed.

Comment 4 by mastiz@chromium.org, Apr 7 2017

Labels: zine-favicon-pe
Owner: mastiz@chromium.org
Status: Started (was: Untriaged)

Comment 5 by msramek@chromium.org, Jul 6 2017

Labels: Hotlist-Privacy
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/62a06efac826e30ae2683b64a6eccf628899de4c

commit 62a06efac826e30ae2683b64a6eccf628899de4c
Author: mastiz <mastiz@chromium.org>
Date: Mon Sep 11 18:14:16 2017

Fix leaking page visits in incognito mode via bookmarked favicons

When a page is visited, the favicons are cached into HistoryService. In
incognito, this is the case only if the page is bookmarked, a
special-casing introduced long ago in
http://codereview.chromium.org/5753007.

The exception doesn't seem necessary because bookmark creation
explicitly saves the favicon (calls SetFavicon), although currently
broken on mobile ( crbug.com/761764 ).

This exception seems to go against the general promise behind incognito
mode and can be exploited by users that share devices with other users.
E.g. if one user wants to know if another user visits a certain page,
it's sufficient to bookmark it and clear the local cache.

BUG= 708447 

Review-Url: https://chromiumcodereview.appspot.com/2694333002
Cr-Commit-Position: refs/heads/master@{#500976}

[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/chrome/browser/favicon/favicon_utils.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/chrome/browser/ui/browser_commands.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/content/content_favicon_driver.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/content/content_favicon_driver.h
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/content/content_favicon_driver_unittest.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/BUILD.gn
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/DEPS
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/favicon_driver_impl.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/favicon_driver_impl.h
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/favicon_handler.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/favicon_handler.h
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/core/favicon_handler_unittest.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/ios/web_favicon_driver.h
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/components/favicon/ios/web_favicon_driver.mm
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/ios/chrome/browser/reading_list/BUILD.gn
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/ios/chrome/browser/reading_list/favicon_web_state_dispatcher_impl.mm
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/ios/chrome/browser/reading_list/reading_list_download_service_factory.cc
[modify] https://crrev.com/62a06efac826e30ae2683b64a6eccf628899de4c/ios/chrome/browser/tabs/tab_helper_util.mm

Comment 7 by mastiz@chromium.org, Sep 11 2017

Status: Fixed (was: Started)

Sign in to add a comment