Mozilla Foundation Security Advisory 2015-52

Sensitive URL encoded information written to Android logcat

Announced

May 12, 2015

Reporter

Muneaki Nishimura

Impact

Moderate

Products

Firefox

Fixed in

Firefox 38

Description

Security researcher Muneaki Nishimura reported that Firefox for Android would write potentially sensitive data to the Android logcat that was encoded as part of logged URL strings. On Android 4.0 or earlier systems, logcat data is available to any application having READ_LOGS permission, leading to potential privacy violations.

This does not affect non-Android versions of Firefox and is mitigated in versions of Android higher than 4.0.

References

Mixed content violation log on Fennec leaks sensitive info in URL (CVE-2015-2714)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-52

Sensitive URL encoded information written to Android logcat

Description

References