Browser-laptop: Context menu for page can access details for another tab (in this case, LastPass credentials)

Created on 10 Apr 2017  路  17Comments  路  Source: brave/browser-laptop

Test plan

https://github.com/brave/browser-laptop/pull/8363#issue-222240660

  • Did you search for similar issues before submitting this one?
    Yes

  • Describe the issue you encountered:
    When attempting to use LastPass in a private tab, the credentials available in the context menu are those from the most recently visited non-private tab.

  • Platform (Win7, 8, 10? macOS? Linux distro?): Windows 10

  • Brave Version (revision SHA): https://github.com/brave/browser-laptop/commit/10539c2316a1b9a8011aa5fab742957d8a0b509e

  • Steps to reproduce:

    1. Navigate in a public tab to a site that uses LastPass credentials
    2. Navigate in a private tab to _another site_, and check LastPass in context menu
    3. LastPass will offer the credentials for the public site

  • Actual result:
    Our context menus are confused about which site the user is on.

  • Expected result:
    Our context menus are aware of where the user is, and will not offer credentials for any other domain.

  • Will the steps above reproduce in a fresh profile? If not what other info can be added?
    N/A

  • Is this an issue in the currently released version?
    N/A

  • Can this issue be consistently reproduced?
    Yes

  • Screenshot if needed:
    lastpass-confusion

  • Any related issues:

Qchecked-Linux Qchecked-Win64 Qchecked-macOS Qtest-plan-specified bug featurextensions featurprivate-tabs featursession-tabs privacy release-noteinclude security
Source
picture jonathansampson

All 17 comments

i can't repro this on master, but supposedly lastpass should not be enabled at all in private tabs

diracdeltas picture diracdeltas on 11 Apr 2017

i think this is blocked on someone (@bridiver?) confirming what the expected behavior in private tabs is. IMO lastpass should be disabled in private tabs until https://github.com/brave/browser-laptop/issues/7907 is done

diracdeltas picture diracdeltas on 12 Apr 2017

++ on what @diracdeltas said (we should disable in private tabs until #7907 is done)

I'll try reproducing w/ Preview 3 on macOS and Windows and will report back

bsclifton picture bsclifton on 12 Apr 2017

the expectation is that lastpass shouldn't work at all right now in private tabs so I'm not sure why it does anything at all. @jonathansampson what is the incognito setting in the manifest?

bridiver picture bridiver on 12 Apr 2017

@bridiver i believe it's the default spanning

diracdeltas picture diracdeltas on 12 Apr 2017

I believe the only problem here is that we're showing the context menu when we shouldn't be. I can't get lastpass to do anything in a private tab without using the context menu. All extension context menus should be disabled in private tabs until #7907 is done

bridiver picture bridiver on 12 Apr 2017

has anyone verified that the lastpass content scripts are not running in priv. tabs?

diracdeltas picture diracdeltas on 12 Apr 2017

they show up in private tabs, but so do the content scripts for 1pw and they don't do anything

bridiver picture bridiver on 12 Apr 2017

IIRC lastpass/1pw run content scripts to do autofill without a context menu in some cases

diracdeltas picture diracdeltas on 12 Apr 2017

I was unable to get LastPass to fill any forms in a private tab. This could be nothing more than preserving the context menu state. Another thing to check for would be the browserAction badge changing when entering a private tab.

I'm out of the office right now, but can check a. It more in about an hour.

jonathansampson picture jonathansampson on 12 Apr 2017

@jonathansampson can you check if this is an issue in our current shipped version (0.14.1)? If so, I think we can unassign ourselves and push this back

bsclifton picture bsclifton on 13 Apr 2017

@bsclifton Yes. This was/is an issue in 0.14.1. Also worth noting that this appears to be an issue with the context menu alone. Actually opening the LastPass popup window reveals no confusion. One alarming issue is that the user can copy credentials for Domain A while they're in a private instance of Domain B. So that's worth tracking.

jonathansampson picture jonathansampson on 13 Apr 2017

awesome, thanks for the detailed info @jonathansampson! 馃槃

I'm going to push this back- I set a tentative milestone of 1.1 for now

bsclifton picture bsclifton on 13 Apr 2017

Updated the title also, since this is related to the context menu and not the fault of LastPass or our extension support

bsclifton picture bsclifton on 13 Apr 2017
👍1

Please ask me before pushing security issues back by more than 1 milestone. I think we need this fixed sooner since it is a cross-origin attack.

diracdeltas picture diracdeltas on 14 Apr 2017
👍1

@diracdeltas will do- apologies

bsclifton picture bsclifton on 15 Apr 2017

Moving to 0.15.0

bsclifton picture bsclifton on 26 Apr 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jonathansampson picture jonathansampson  路  3Comments
luixxiul picture luixxiul  路  3Comments
briannyeko picture briannyeko  路  3Comments
luixxiul picture luixxiul  路  3Comments
jonathansampson picture jonathansampson  路  3Comments