



Adam Banister October 22, 2021 11:31 UTC Updated: October 22, 2021 12:01 UTC

Researchers question the effectiveness of the proposed treatment as discussions take place 18 months after disclosure.

The peculiarities of Japanese punctuation seem to have increased the impact of vulnerabilities in Chrome and Firefox. Resolving these vulnerabilities is complicated by the potential impact on enterprise users.

A privacy flaw allows Chrome and Firefox users to leak search terms to Internet Service Providers (ISPs) without consent under certain conditions, exposing them to surveillance by malicious attackers, as Mozilla admits. There is a possibility.

Background Firefox and Chrome have not yet fixed a privacy issue that leaks user searches to ISPs

Mozilla and Google were warned about this issue by security researcher Duy Khuong in April 2020, and Firefox 78 was released two months later in support of disabling the behavior that caused the vulnerability. rice field.

Eighteen months after disclosure, Google is currently planning to fix the issue by turning off vulnerable features by default.

One word search

Modern browsers typically do not divulge a user’s online activity to an ISP, but the ISP can see the web pages they visit.

However, if the user enters a single word or multiple hyphenated words in the address bar of Chrome or Firefox (by default), the search term will be relayed to the ISP server in the DNS query.

This flaw is not caused by multi-word search terms with no spaces (thus infosec news does not leak; infosec-news does).

Khuong found that even DNS-over-HTTPS (DoH) and the privacy-protected search engine DuckDuckGo couldn’t protect users from bugs.

Language curve ball

Japanese search terms are more likely to occur and leak because words in Japanese sentences are rarely separated by spaces.

The revelation appears to have provided some impetus for the delayed resolution from Google after Covid-19 first delayed the repair, indicating that the July 2020 update is attempting to fix it. After that, the associated Chromium bug tracker has been quiet for a year.

Analytical Browser Security Future: Check out the latest features for mobile and desktop

This issue is more serious than the original post stated before the July 2021 Chromium developers explained that multiple single-word search texts in Japanese were used. [with the] English.

He also states that the way Chromium broadcasts a one-word search text to a Windows LAN means all IoT devices.[s] Can be heard at my home [to] One word search text.

Kuon told Daily Wig that he had not been aware of this effect so far, and that there may be other, undiscovered effects. This also applies to Firefox, as the underlying mechanism is the same.

Features decades ago

As reported by The Daily Swig last year, this flaw seems to be a legacy of functionality decades ago. This feature allows your browser to look up your local DNS to distinguish between searching for a single word and intent to visit a local single-word website that is used privately. And enterprise networks.

Mozilla tells The Daily Swig that there are no immediate plans to change the default behavior as this legacy feature of the DNS system continues to be used.

However, in a related Bugzilla ticket, Tusing said earlier this month: [a] This is a reasonable default from a privacy perspective, as very few web users access such intranets.

Tightrope walking

Since then, Gregory Pappas has created a solution that further keeps enterprise users away by Tusing underestimating intranet usage and forcing more cajoring to make it more suitable for use by enterprise users. I argued that I was proposing.

However, Khuong reflects Tusings’ feelings that Mozilla underestimates the severity of the bug, prioritizes enterprise support over protecting user privacy, and discourages contributions from others. I am.

Pappas added: Privacy on the web is a balancing act, and Firefox is the only major browser that provides settings for closing holes.

However, members of the Chromium team said on September 14th that by disabling the omnibox intranet redirect detection feature, along with many other security issues, this issue will be fixed in Chrome within a few weeks. Shown.

However, Khuong is not convinced by this proposal. Enterprises still have the trouble of re-enabling the features they need, which would result in a one-word search being sent for DNS lookups.

Researchers have proposed an alternative fix for the bug thread on October 19th and are waiting for a reply.

Google did not respond to the request for comment, and Mozilla declined further comments.

Like Google, Mozilla is nearing completion of the Sanitizer API for Chrome and Firefox browsers.

