Researcher questions efficacy of proposed remedies as debate rumbles on 18 months after disclosure
A peculiarity of Japanese punctuation appears to have heightened the impact of a Chrome and Firefox vulnerability whose resolution has been complicated by the potential impact on enterprise users.
The privacy flaw leaks Chrome and Firefox users’ search terms to their internet service providers (ISPs) without their consent under certain conditions and, as Mozilla has acknowledged, could potentially expose them to surveillance by malicious actors.
Mozilla and Google were alerted to the problem back in April 2020 by security researcher Duy Khuong, and Firefox 78 launched two months later with support for disabling behavior that caused the vulnerability.
Eighteen months after disclosure, Google is now planning to fix the issue by turning a vulnerable feature off by default.
Modern browsers ordinarily don’t leak users’ online activity to ISPs, albeit ISPs can see which web pages they visit.
However, if users enter a single word, or multiple words separated by hyphens, into the address bar of Chrome or (in its default settings) Firefox, the search terms are relayed to the ISP’s servers within DNS queries.
The flaw would not be triggered by multi-word search terms without spaces (so ‘infosec news’ would not leak; ‘infosec-news’ would).
Even DNS-over-HTTPS (DoH) and privacy-protecting search engine DuckDuckGo fail to protect users from the bug, Khuong discovered.
Japanese search terms, it transpires, leak far more readily since words in Japanese sentences are seldom separated by spaces.
This revelation appears to have provided some impetus for a belated resolution from Google after Covid-19 initially delayed remediation and, after a July 2020 update indicated a fix was being attempted, the relevant Chromium bug tracker fell quiet for a year.
“This problem is more critical than that original post says,” a Chromium developer observed in July 2021, before explaining that “Japanese, ‘one word’ search text is used more than [with the] English language”.
They also said that the way “Chromium broadcasts the ‘one word’ search text to LAN in windows means all IoT device[s] in my house can listen [to] the ‘one word’ search text”.
Khuong told The Daily Swig he was hitherto unaware of this impact and that other, as yet-undiscovered impacts may exist. “This also applies to Firefox, because the underlying mechanism is the same,” he added.
As reported by The Daily Swig last year, the flaw appears to be the legacy of a decades-old feature whereby the browsers consult local DNS in order to distinguish between single-word searches and intentions to visit local, single-word websites used by private and enterprise networks.
“Due to the ongoing use of this legacy feature of the DNS system, we do not have immediate plans to change the default behavior,” Mozilla tells The Daily Swig.
However, in a related Bugzilla ticket, ‘Tusing’ said earlier this month: “That isn’t [a] reasonable default from a privacy perspective” because “a vanishingly small number of web users access an intranet like that”.
‘Gregory Pappas’ then countered that Tusing had underestimated the extent of intranet use and was proposing a solution that would “alienate enterprise users even more by forcing them to do even more cajoling to make it suitable for their use”.
However, Khuong has echoed Tusing’s sentiments, saying Mozilla have underestimated the bug’s severity and are “putting enterprise support above the user’s privacy protection, and discouraging contributions from others”.
Pappas added: “Privacy on the web is a balancing act and Firefox remains the only major browser that offers settings to plug the hole.”
However, a member of the Chromium team indicated on September 14 that the issue would also be remediated in Chrome “in a few weeks”, along with a slew of other security issues, by disabling the omnibox’s Intranet Redirect Detector feature.
However, Khuong is unconvinced by the proposal, since enterprises would have the hassle of re-enabling a feature they still need and doing so would mean one-word searches will still “be sent around for DNS lookups”.
The researcher proposed an alternative fix on the bug thread on October 19 and is awaiting a reply.
Google did not respond to our requests for comment and Mozilla has declined to comment further.
YOU MIGHT ALSO LIKE Google, Mozilla close to finalizing Sanitizer API for Chrome and Firefox browsers