Twitter Discloses Firefox Bug That Cached Private Files Sent or Received via DMs

Social networking giant Twitter today disclosed a bug on its platform that impacted users who accessed their platform using Firefox browsers. From a report: According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily. Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it. The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.

accessed their platform

[oldgraybeard]

Nice I am immune!

Just my 2 cents ;)

Re:

[bloodhawk]

yep me too, gave up on firefox a few years ago.

This is how browsers work

[Anonymous Coward]

its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily.

If you see it on your screen, it is in your browser's cache. This is how web browsers have worked since forever. Almost 20 years ago, there was a website I went to which had a webcam that posted a new picture every couple of minutes. There was no way to download and save the pictures so I just wrote a script that pulled it out of my browsers cache.

Re:This is how browsers work

[LucasBC]

Nonsense. HTTPS is for secure transfer, not for storage.

Re:

[drinkypoo]

It's normal to not cache https results to disk by default.

Some browsers permit you to change that, which you should not do unless you are caching to encrypted storage.

Re:This is how browsers work

[AC-x]

It's normal to not cache https results to disk by default. Some browsers permit you to change that, which you should not do unless you are caching to encrypted storage.

This is absolutely not true. The default behavior of all browsers is to cache based on whether the website allows it via HTTP headers and is not based on being HTTP/HTTPS.

To disable caching of allowed HTTPS content would be terrible for web performance.

You can do an experiment, go to https://en.wikipedia.org/wiki/Main_Page then press F12 to check the network tab. Note the cached page and files.

Re:This is how browsers work

[LucasBC]

The default is to cache all content whether its HTTP or HTTPS unless instructed otherwise, either by the site sending a header to limit caching, or the user setting this in their browser.

I'd be interested in seeing any documentation contradicting this. I looked but so far could only find information confirming it. (e.g. https://www.ise.io/casestudies... [www.ise.io] )

Re:

[DrXym]

It's basically left up to the browser to decide what to do. As far as caching is concerned you really can't make any assumptions. e.g. a private browser session may decide not to cache anything.

Re:

[LucasBC]

Indeed, but it's not the norm nor the standard. I'm looking at my Chrome cache right now, which is full of unencrypted files delivered yesterday via HTTPS, including major sites like Google. I haven't changed any of the caching settings, so this behaviour is Chrome's default.

The crux of my comment is toward the AC who claimed browsers should "never" cache HTTPS content to disk. With the majority of sites being delivered via HTTPS, the entire caching mechanism would be pointless if it didn't continue to oper

Re:

[drinkypoo]

Whoops, looks like I'm way out of date on that one. I guess I just have my browser configured that way. And only on desktop. My phone is encrypted, so I never gave it a thought there.

Re:

[DrXym]

Cache control headers allow the browser to decide what requested content is cached regardless of it being received securely or not. So a browser can cache data regardless of it coming through http or https.

As for the probable cause of the issue, I recently had a situation where I was returning live data in JSON from a server - one browser requested a fresh copy each time while another pulled a stale copy from the cache. The problem was the headers in the server's response didn't say that the data expired

Re:

[Rockoon]

Got any other "facts" you want to declare?

Stop pretending to know things that you don't know, and that you know you don't know.

Just. Fucking. Stop.

You are a dishonest fuck. Pretending.

Re:

[drinkypoo]

You still think there's a deep state conspiracy, and you're telling me that? Eat the whole bag.

Re:

[black3d]

Unless you're a web-browser. In which case, you cache unless explicitly told not to. HTTPS does not represent a secure browsing session. It's intended to improve security of the data between the site you're viewing, and your PC. What your PC does with it has nothing to do with HTTPS. It is not private browsing (which vice versa, is not automagically secure browsing, but is more secure treatment of the data received, by your PC). Although neither necessarily protect you completely. HTTPS isn't completely imm

Re:

[black3d]

That's incorrect. It's purely improved transfer security. HTTPS is not "private browsing".

Re:

[AC-x]

If you see it on your screen, it is in your browser's cache.

I'm pretty sure they're talking about file downloads and not on-screen content: "files sent or received via direct messages (DMs), data archive files downloaded from a profile's settings page, and others"

I'm also pretty sure browsers save file downloads directly to the download location and don't also place a copy in cache.

Having not used Twitter I can only assume instead of implementing downloadable files by letting the browser just, you know, download the files, they've rolled their own HTML5 javascript f

Misleading title

[alexo]

This is not a bug in Firefox but in Twitter, as both TFS and TFA state.

So... Twitter bug blamed on Firefox?

[Sebby]

Sounds more like Twitter didn't configure their stuff correctly so that FF would know to discard it.

Re:

[Sebby]

Like many others, I suspected this had something to do with caching, and Twitter not properly telling browsers how to cache (or not) content, which has now been confirmed [mozilla.org] by Mozilla.

Anyone?

[PPH]

If another user is given an account on this machine, they get their own uid and gid. My umask is set to prohibit any uid/gid other than my own from reading these files. Isn't this how all real operating systems work?

Re:

[tlhIngan]

If another user is given an account on this machine, they get their own uid and gid. My umask is set to prohibit any uid/gid other than my own from reading these files. Isn't this how all real operating systems work?

Yes. Though the defaults of some operating systems may leave something to be desired - I don't know if Firefox sets the permissions under Windows to "Owner only" - or the specific username of the profile it's running under.

It all comes to defaults. I'm sure there are plenty of installations wher

Re:

[DrMrLordX]

Yes.

whoopee da doo da

[Anonymous Coward]

Unless you have multiple windows user accounts anything in the documents or downloads folder is accessible by anyone too just like the firefox cache folder. And if you did have multiple windows user accounts then there would be separate firefox cache folders as well.

Additionally, this isnt a firefox bug, it is a twitter bug. twitter is saving stuff in "Offline Web Content and User Data" area which is designed to store stuff offline. If twitter thinks that it shouldnt be caching this stuff then it shouldnt b

Use Private Browsing

[billyswong]

If one don't want anything cached by public computers or friends' computers, there is private browsing for that. Online account logout means the computer can't act on your account's behalf anymore. There is no guarantee about history or cache.

Re:

[Errol backfiring]

And if a web site does not want things to be cached, there are HTTP headers to tell the browsers what to do. Those headers can be used to suppress caching altogether, or to cache them only for a short time.

Bullshit

[nashv]

Twitter sends a non-standard header for "Do not cache". Firefox does not recognize this header because, here's a clue - it is NOT A STANDARD SPECIFIED HEADER. Chromium has implemented this non-standard header for themselves.

So, what happened is, that Twitter optimized their site for Chromium, did not respect the standards, and is now calling it a Firefox bug.

This is like how you make a traffic light with purple, cyan and orange lights, and then complain about how the guy expecting "green to go" is mentally challenged.

Re:

[jgtg32a]

Ah there it is
 
On a side note why isn't "do not cache" part of the standard already, seems like that should have been one of the first features suggested forever ago when people started to care about security.

Re:Bullshit

[nashv]

A standard exists, except Twitter does not use it.
Here is the doc for it : https://developer.mozilla.org/... [mozilla.org]

Re:

[m-flak]

You're saying that Twitter does not use 'Cache-Control' in its HTTP response headers? What on Earth, then, is the response header they sent??

Re:

[nashv]

Mozilla has a blog post explaining all details : https://blog.mozilla.org/blog/... [mozilla.org]

"In this case, Twitter did not include a ‘no-store’ directive for direct messages. The content of direct messages is sensitive and so should not have been stored in the browser cache. Without Cache-Control or Expires, however, browsers used heuristic caching logic."
https://hacks.mozilla.org/2020... [mozilla.org]

Re:

[iampiti]

That's the problem when a browser or its engine have a too big marketshare: People develop for that engine and it becomes a de facto standard.
It's Internet Explorer in the early 2000s all over again.
Since Opera and Microsoft gave up on developing their own web engines only the Chrome one, Apple's one and Firefox's one remain. And I'm not sure how different Apple's and Chrome's are since they share a common ancestor.

Solution

[sad_]

"...the bug's impact is somewhat limited as Firefox automatically purges all cached data older than seven days... The cache can be cleared in Firefox by going to Tools > Options > Privacy & Security > Cookie and Site Data > Clear Data."

or install one of the many add-ons available that clears cookies for you automatically.

Re:

[Murdoch5]

I've recommend to friends, family and coworkers that you clear the browser at least once a day, mitigating these kind of issues, and ideally setup Firefox to wipe everything when you close it. I've also recommended the use of applications like bleachbit, which can remove all the stuff you unknowingly leave behind, and if you set something like that to run every 15 minutes, then you never really have an issue.

Clear your browser and wipe your cache / temp data

[Murdoch5]

Common sense practices tell us to wipe our browsers at least once a day, if not several, and especially after taking part in any social media based activities, on shared computers and public workstations. On top of that any responsible configuration would include applications like bleachbit, so you can fully scrub your data in between users and sessions.

I saw this warning yesterday, but it doesn't really cause any sense of alarm as your data should never be sitting around, unless you have a reason for i

It's how browsers work, and can be controlled

[mikeebbbd]

As many others have pointed out, caching is how browsers work. It can be controlled with headers, and in the browser itself, to some degree. Browsers can also be set to clear the cache when shut down (that should be the default IMO, but the setting is available to any who want to use it). That setting has been around since Mosaic (as used by Compuserve) and early IE, and is in the security section of Firefox options. Private browsing in some implementations also clears the cache for that window when the win