Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Twitter Firefox Security IT Technology

Twitter Discloses Firefox Bug That Cached Private Files Sent or Received via DMs (zdnet.com) 42

Social networking giant Twitter today disclosed a bug on its platform that impacted users who accessed their platform using Firefox browsers. From a report: According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily. Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it. The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.
This discussion has been archived. No new comments can be posted.

Twitter Discloses Firefox Bug That Cached Private Files Sent or Received via DMs

Comments Filter:
  • Nice I am immune!

    Just my 2 cents ;)
  • by Anonymous Coward on Thursday April 02, 2020 @08:59PM (#59903450)

    its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily.

    If you see it on your screen, it is in your browser's cache. This is how web browsers have worked since forever. Almost 20 years ago, there was a website I went to which had a webcam that posted a new picture every couple of minutes. There was no way to download and save the pictures so I just wrote a script that pulled it out of my browsers cache.

    • by AC-x ( 735297 )

      If you see it on your screen, it is in your browser's cache.

      I'm pretty sure they're talking about file downloads and not on-screen content: "files sent or received via direct messages (DMs), data archive files downloaded from a profile's settings page, and others"

      I'm also pretty sure browsers save file downloads directly to the download location and don't also place a copy in cache.

      Having not used Twitter I can only assume instead of implementing downloadable files by letting the browser just, you know, download the files, they've rolled their own HTML5 javascript f

  • Misleading title (Score:5, Informative)

    by alexo ( 9335 ) on Thursday April 02, 2020 @09:10PM (#59903462) Journal

    This is not a bug in Firefox but in Twitter, as both TFS and TFA state.

  • by Sebby ( 238625 ) on Thursday April 02, 2020 @09:21PM (#59903480)
    Sounds more like Twitter didn't configure their stuff correctly so that FF would know to discard it.
    • by Sebby ( 238625 )
      Like many others, I suspected this had something to do with caching, and Twitter not properly telling browsers how to cache (or not) content, which has now been confirmed [mozilla.org] by Mozilla.
  • Anyone? (Score:4, Interesting)

    by PPH ( 736903 ) on Thursday April 02, 2020 @09:24PM (#59903484)

    If another user is given an account on this machine, they get their own uid and gid. My umask is set to prohibit any uid/gid other than my own from reading these files. Isn't this how all real operating systems work?

    • by tlhIngan ( 30335 )

      If another user is given an account on this machine, they get their own uid and gid. My umask is set to prohibit any uid/gid other than my own from reading these files. Isn't this how all real operating systems work?

      Yes. Though the defaults of some operating systems may leave something to be desired - I don't know if Firefox sets the permissions under Windows to "Owner only" - or the specific username of the profile it's running under.

      It all comes to defaults. I'm sure there are plenty of installations wher

  • by Anonymous Coward

    Unless you have multiple windows user accounts anything in the documents or downloads folder is accessible by anyone too just like the firefox cache folder. And if you did have multiple windows user accounts then there would be separate firefox cache folders as well.

    Additionally, this isnt a firefox bug, it is a twitter bug. twitter is saving stuff in "Offline Web Content and User Data" area which is designed to store stuff offline. If twitter thinks that it shouldnt be caching this stuff then it shouldnt b

  • If one don't want anything cached by public computers or friends' computers, there is private browsing for that. Online account logout means the computer can't act on your account's behalf anymore. There is no guarantee about history or cache.
    • And if a web site does not want things to be cached, there are HTTP headers to tell the browsers what to do. Those headers can be used to suppress caching altogether, or to cache them only for a short time.
  • Bullshit (Score:5, Insightful)

    by nashv ( 1479253 ) on Friday April 03, 2020 @05:06AM (#59904164) Homepage

    Twitter sends a non-standard header for "Do not cache". Firefox does not recognize this header because, here's a clue - it is NOT A STANDARD SPECIFIED HEADER. Chromium has implemented this non-standard header for themselves.

    So, what happened is, that Twitter optimized their site for Chromium, did not respect the standards, and is now calling it a Firefox bug.

    This is like how you make a traffic light with purple, cyan and orange lights, and then complain about how the guy expecting "green to go" is mentally challenged.

    • Ah there it is
       
      On a side note why isn't "do not cache" part of the standard already, seems like that should have been one of the first features suggested forever ago when people started to care about security.

    • by m-flak ( 6737650 )
      You're saying that Twitter does not use 'Cache-Control' in its HTTP response headers? What on Earth, then, is the response header they sent??
    • That's the problem when a browser or its engine have a too big marketshare: People develop for that engine and it becomes a de facto standard.
      It's Internet Explorer in the early 2000s all over again.
      Since Opera and Microsoft gave up on developing their own web engines only the Chrome one, Apple's one and Firefox's one remain. And I'm not sure how different Apple's and Chrome's are since they share a common ancestor.
  • by sad_ ( 7868 )

    "...the bug's impact is somewhat limited as Firefox automatically purges all cached data older than seven days... The cache can be cleared in Firefox by going to Tools > Options > Privacy & Security > Cookie and Site Data > Clear Data."

    or install one of the many add-ons available that clears cookies for you automatically.

    • I've recommend to friends, family and coworkers that you clear the browser at least once a day, mitigating these kind of issues, and ideally setup Firefox to wipe everything when you close it. I've also recommended the use of applications like bleachbit, which can remove all the stuff you unknowingly leave behind, and if you set something like that to run every 15 minutes, then you never really have an issue.
  • Common sense practices tell us to wipe our browsers at least once a day, if not several, and especially after taking part in any social media based activities, on shared computers and public workstations. On top of that any responsible configuration would include applications like bleachbit, so you can fully scrub your data in between users and sessions.

    I saw this warning yesterday, but it doesn't really cause any sense of alarm as your data should never be sitting around, unless you have a reason for i
  • As many others have pointed out, caching is how browsers work. It can be controlled with headers, and in the browser itself, to some degree. Browsers can also be set to clear the cache when shut down (that should be the default IMO, but the setting is available to any who want to use it). That setting has been around since Mosaic (as used by Compuserve) and early IE, and is in the security section of Firefox options. Private browsing in some implementations also clears the cache for that window when the win

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...