Security/Reviews/F1 (round 2)

From MozillaWiki
< Security‎ | Reviews
Revision as of 15:32, 30 August 2011 by Bsterne (talk | contribs) (Created page with "== Items Reviewed == F1 :: retooled version of the link sharing service we looked at in May (https://wiki.mozilla.org/Security/Reviews/F1) * https://wiki.mozilla.org/Labs/F1 * h...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Items Reviewed

F1 :: retooled version of the link sharing service we looked at in May (https://wiki.mozilla.org/Security/Reviews/F1)

Introduce Feature (5-10 minutes)

  • method for allowing users to share content on their social networks & later email
    • currently only Twitter and FB
      • Twitter currently requires OAuth
  • F1 is now a mediator for the "share" activity
    • installs specialized webapps for facebook and twitter to bootstrap sharing

Differs from OWA (Open Web Applicaiton) because:

  • mediator for F1 is more elaborate than default for OWA
  • provides OAuth as an authentication api
    • pops up a login dialog
  • we would prefer to not use OAuth where possible (depends on service providers)
    • Yes, just "native" OWA if possible.

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • Attempting to make the sharing of web data easier for users
    • remove the NASCAR effect of sharing buttons on an item

What solutions/approaches were considered other than the proposed solution?

  • Client-Server arch of previous has been abandoned for a browser only solution using OWA
  • possibly build F1 into OWA directly to avoid cross application issues

Why was this solution chosen?

  • better privacy protection for users
  • does not put Mozilla in a postition to hold possibly private data / auth secrets for the user

Any security threats already considered in the design and why?

  • ^^ see previous discussion & OWA items

Threat Brainstorming (30-40 minutes)

  • Screenshot image leakage (potentially sensitive data shows up in screenshots that are shared)
    • only works for email which is not in current implementation, might be dropped due to privacy concerns
    • Shane says probably it will just be pulled out.
  • Can arbitrary content invoke the OAuth flow/dialog ?
    • as of right now yes, this is a property of the injector that needs to be fixed
    • by design no, this is due to reuse of injector code
      • good thing to test during implementation review/penetration testing
  • potential clickjacking due to dialog being displayed over content, possibly phishing also by mimicing the experience (particularly in full screen mode)
    • potential mitigation - exit fullscreen mode when dialog is shown
  • Starting Share/F1 (or any activity) could be the "new window.open()"
    • jstenback is the person to talk to about trusted events being required for startActivity

Conclusions / Action Items (10-20 minutes)

  • [scaraveo]Need to figure out if the temporary part for Twitter OAuth will end up in the product, or if we can cut it out before the first release.
  • [scaraveo]Final decision on screenshot thumbnail sharing
    • This decision will need to be communicated back to secteam
  • [scaraveo] bug to track fixing the of OAuth flow/dialog/injector
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/F1_(round_2)&oldid=344510"