Comment by grahameb

5 years ago

"Firefox: ... However, it never actually uses the cache to fetch the entries. As a result, Firefox actually issues requests to re-fetch favicons that are already present in the cache. We have reported this bug to the Mozilla team, who verified and acknowledged it. At the time of submission, this remains an open issue. Nonetheless, we believe that once this bug is fixed our attack will work in Firefox..."

Gosh, I hope the favicon cache bug the authors filed isn't fixed until a broader mitigation against this is implemented.

10 comments

grahameb

Reply
weinzierl  5 years ago

> " However, it never actually uses the cache to fetch the entries."

I doubt the "never" because it regularly shows me the wrong favicon. This has been true for so many years that I consider it a familiar quirk more than a bug...

123123141  5 years ago

Later in the paper:

> we have disclosed our research to all the browser vendors.

Please consider that the researchers apparently submitted TWO bug reports. One because functionally the cache is broken, one because there's a potential privacy issue.

  • mccr8  5 years ago

    The account used to file that bug has not filed any other bug reports, so it isn't clear to me if they did report the underlying security issue that they found. (Disclaimer: I work on Firefox, but I'm just speaking for myself.)

floatingatoll  5 years ago

It looks like someone else posted their paper to their bug.

  • amenghra  5 years ago

    Good. This sums it up pretty well:

        I also think that it would have been appropriate to notify about the
    ulterior motive behind this defect report at the latest when the paper got
    published. This underhanded approach of reporting a defect just leaves a bad
    taste, really.

    The behavior may be an actual defect in the classical sense, but I'm just
    wondering what would have happened, had this been addressed "in time" by the
    developers. It would seem that the researchers would then have triumphantly
    proclaimed that all major browsers are prone to their newly found attack.
    Must be somewhat disappointing that it didn't get fixed "in time" to make it
    into the paper that way.

    • TomatoDash  5 years ago

      I wonder if that behaviour is misconduct under the rules of the researcher's university. It seems at least highly questionable for a university employed researcher to, in effect, feature request a privacy vulnerability in order to later be able to publish an academic paper on that vulnerability.