CVE-2023-4580: Push Notifications Stored on Disk in Private Browsing Mode Unencrypted, Vulnerability and Exploit Details

The CVE-2023-4580 vulnerability allows attackers to obtain sensitive information from Firefox and Thunderbird users due to a security flaw that results in unencrypted push notifications being stored on a user's disk while in private browsing mode. This vulnerability affects Firefox versions prior to 117, Firefox ESR versions prior to 115.2, and Thunderbird versions prior to 115.2. This long-read post will discuss the exploit details, provide a code snippet, and link to original references.

Exploit Details

The central issue in this vulnerability involves the storage of push notifications on a user's disk while they are using the private browsing mode in Firefox and Thunderbird. When users enable private browsing mode, they expect their browsing activities and data to be protected against potential external intrusions.

However, due to a flaw in Firefox and Thunderbird's implementation of push notifications, these notifications are stored on disk without encryption, contrary to expectations. This potentially exposes a user's sensitive data to attackers with access to the user's disk.

Code Snippet

The following code snippet demonstrates a push notification request in the vulnerable versions of Firefox and Thunderbird:

// Registering for push notification
navigator.serviceWorker.register('service-worker.js').then(function(reg) {
  console.log('Service worker registered.');
  
  // Requesting push notifications
  reg.pushManager.subscribe({ userVisibleOnly: true }).then(function(sub) {
    console.log('Endpoint URL: ' + sub.endpoint);
  
  }).catch(function(error) {
    console.error('Error: ' + error.message);
  });
});

After receiving push notifications, the vulnerable versions of the browsers store them on disk in plain text, which could be intercepted and accessed by unauthorized parties.

Mitigation

To fix this vulnerability, it is essential to update your Firefox and Thunderbird software to the latest versions. The appropriate versions are:

Thunderbird 115.2 or later

Updating your software will protect your sensitive information and ensure that push notifications are encrypted and stored securely while you are using private browsing mode.

Original References

1. Mozilla Security Advisory
2. National Vulnerability Database (NVD) Entry
3. Common Vulnerabilities and Exposures (CVE) Entry

Conclusion

CVE-2023-4580 is a critical vulnerability affecting Firefox and Thunderbird users' privacy expectations while browsing in private mode. The security flaw allows attackers to capture sensitive information from unencrypted push notifications stored on disk. To mitigate this vulnerability, users should update their Firefox and Thunderbird software to the latest, secure versions. By doing so, they can ensure that their browsing experience is safe and that their private data is protected from potential intruders.

Timeline

Published on: 09/11/2023 09:15:00 UTC
Last modified on: 09/14/2023 03:53:00 UTC