Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2023-01-05T18:05:48Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41403Some visited addresses are stored inside notificationstore.json in the profil...2023-01-05T18:05:48Zcypherpunks1Some visited addresses are stored inside notificationstore.json in the profile folderMight be related: https://bugzilla.mozilla.org/show_bug.cgi?id=1095073
The file persists after closing the browser.
Visiting the following address can create one if it doesn't exist:
https://privacycheck.sec.lrz.de/active/fp_fd/fp_fea...Might be related: https://bugzilla.mozilla.org/show_bug.cgi?id=1095073
The file persists after closing the browser.
Visiting the following address can create one if it doesn't exist:
https://privacycheck.sec.lrz.de/active/fp_fd/fp_feature_detection.html
The file will get bigger after each visit. That doesn't seem secure.Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40976On macOS a list of downloaded files is kept on disk and survives New Identity2022-11-29T13:39:51ZGeorg KoppenOn macOS a list of downloaded files is kept on disk and survives New IdentityOn macOS a list of downloaded files is kept and survives New Identity. It might affect other platforms, too:
```
Mac [...] keeps a list of all the downloaded files. From which app(browser) and which website.
Location:
sqlite3 ~/Library/...On macOS a list of downloaded files is kept and survives New Identity. It might affect other platforms, too:
```
Mac [...] keeps a list of all the downloaded files. From which app(browser) and which website.
Location:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select * from LSQuarantineEvent’
52FA128A-42E1-41E6-A0DD-5A58FB21ED7A|550679062.0|org.torproject.torbrowser|TorBrowser.app|https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSP6KTk9o7luHrlg5CoeGFLiH2RpKwEcywcgdDeVQpciZzytjaafDzkKL0v|||0||https://www.google.com/search?q=snowmountains&tbm=isch&sa=G&gbv=1&sei=h3oiW_DkC8yFgAadrJLQBQ|
```Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40975Disk leak on macOS due to Notification API2023-10-12T11:29:31ZGeorg KoppenDisk leak on macOS due to Notification APIKonark Modi reported a while ago a disk leak at least on macOS due to the Notification API. Here is the bug report:
```
The leak is cause by: https://www.w3.org/TR/notifications/ API.
Steps to reproduce:
1. Visit http://www.bennish.net/...Konark Modi reported a while ago a disk leak at least on macOS due to the Notification API. Here is the bug report:
```
The leak is cause by: https://www.w3.org/TR/notifications/ API.
Steps to reproduce:
1. Visit http://www.bennish.net/web-notifications.html
2. Temporarily allow JS.
3. Click on Authorize button.
4. Click on Show button.
5. Notification should occur.
macOS by default saves these notification in`/private/var/folders/qs/54swlb5d1fx4hq969vdqg4rr0000gn/0/com.apple.notificationcenter/db` . It dumps the content of the notification and the website name.
This location can be found using:
Activity Monitor -> Search for process user noted -> Open files and ports -> Notifications DB.
Now, although the user opted in to these notifications, but this is an intended leak from OS level.
```Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40207Tor Browser is writing to Windows registry on every start2022-11-30T15:19:24ZGeorg KoppenTor Browser is writing to Windows registry on every startI got a report from a cypherpunk:
```
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Platform-Installation
Firefox is still writing to Windows Registry on every start:
Computer\HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firef...I got a report from a cypherpunk:
```
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Platform-Installation
Firefox is still writing to Windows Registry on every start:
Computer\HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
There it stores all the paths TBB was started from.
That also allows an attacker to permanently disable Launcher Process
security feature, and even any hiccup can do/leads to it:
about:support
Launcher Process Disabled due to failure
```Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40054Investigate disabling disk caching of shaders2023-01-05T16:25:29ZMark SmithInvestigate disabling disk caching of shadersFrom #33534: Firefox 75 implemented more aggressive caching of shaders to disk. We should verify this does not happen in private browsing mode (or that the shaders being cached are not from web content).
https://bugzilla.mozilla.org/sho...From #33534: Firefox 75 implemented more aggressive caching of shaders to disk. We should verify this does not happen in private browsing mode (or that the shaders being cached are not from web content).
https://bugzilla.mozilla.org/show_bug.cgi?id=1614679 \
"Cache shaders to disk even if they are compiled after the 10th frame"Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29887Potential user activity data leak2023-01-05T17:32:42ZTracPotential user activity data leakThe user preferences file at ./Browser/TorBrowser/Data/Browser/profile.default/prefs.js contains data that can be used to tie anonymous activity via Tor in a certain time period to a particular user. This information may serve as additio...The user preferences file at ./Browser/TorBrowser/Data/Browser/profile.default/prefs.js contains data that can be used to tie anonymous activity via Tor in a certain time period to a particular user. This information may serve as additional evidence and help repressive regimes to identify activists and whistleblowers.
The most sensitive data is contained in the following parameters:
* toolkit.startup.last_success - time of last successful browser startup.
* browser.laterrun.bookkeeping.profileCreationTime - profile creation time, i.e. when this browser was started for the first time.
All other parameters listed below are regularly updated during the browser's run. Given their quantity, they may serve as a pretty reliable indication of when this particular user was online.
* app.update.lastUpdateTime.addon-background-update-timer
* app.update.lastUpdateTime.background-update-timer
* app.update.lastUpdateTime.blocklist-background-update-timer
* app.update.lastUpdateTime.browser-cleanup-thumbnails
* app.update.lastUpdateTime.experiments-update-timer
* app.update.lastUpdateTime.search-engine-update-timer
* app.update.lastUpdateTime.xpi-signature-verification
* extensions.blocklist.lastModified
* extensions.torbutton.lastUpdateCheck
* idle.lastDailyNotification
* media.gmp-manager.lastCheck
* places.database.lastMaintenance
* storage.vacuum.last.places.sqlite
* app.update.lastUpdateTime.xpi-signature-verification
If there are any other such parameters, they may pose a security risk as well.
As a possible solution, we propose that these parameters should not be updated at all, and the browser should treat every time it is run as the first.
**Trac**:
**Username**: pf.teamSponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26080torbrowser 7.5.4 update seems to generate file with unique uuid in it2022-11-29T14:28:02Zcypherpunkstorbrowser 7.5.4 update seems to generate file with unique uuid in itupdating from 7.5.3 to 7.5.4 on linux seems to include a file named '.uuid' in the fonts dir that appears to be unique (comparing two different updated torbrowsers)updating from 7.5.3 to 7.5.4 on linux seems to include a file named '.uuid' in the fonts dir that appears to be unique (comparing two different updated torbrowsers)Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41009ESR102: ensure download improvements don't exacerbate disk leaks2023-12-04T14:10:36ZThorinESR102: ensure download improvements don't exacerbate disk leaks@richard FYI and also labels please: `FF102-esr`, `Disk Leak` , @pierov FYI
ESR102 introduces changes to download behavior and use of `/tmp/`
- e.g. see this very noisy [1738574](https://bugzilla.mozilla.org/show_bug.cgi?id=1738574) and...@richard FYI and also labels please: `FF102-esr`, `Disk Leak` , @pierov FYI
ESR102 introduces changes to download behavior and use of `/tmp/`
- e.g. see this very noisy [1738574](https://bugzilla.mozilla.org/show_bug.cgi?id=1738574) and just skip to comments by Gijs
- btw, that bugzilla introduces a new pref to revert the behavior
Note: https://bugzilla.mozilla.org/show_bug.cgi?id=1738574#c40 from Gijs
> If you pick "open with Firefox" as the default action for PDFs, we'll open them directly from the internet in almost all cases (there are some edgecases to be worked out, cf. ~~bug 1742648~~), without storing anything on disk in the first place.
>
> So to be clear, we tried not to change the default action for PDFs. We changed it for most other mimetypes, but not PDFs (nor any other filetypes set to "open in Firefox" by default)
We should make sure that any download improvements since the last ESR, don't create disk leaks. IDK if PB mode does anything special here. I haven't worked through all the variables, and it gets a little convoluted - hence opening this ticket to make sure we address itSponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40986Clean up profile directory during New Identity2022-11-30T16:43:30ZGeorg KoppenClean up profile directory during New IdentityAt CCCamp 2019 a cypherpunk approached me proposing that we try to clean up the profile directory as well as good as we can during New Identity.
I think I like the general idea of doing a more aggressive cleaning (from time to time) in ...At CCCamp 2019 a cypherpunk approached me proposing that we try to clean up the profile directory as well as good as we can during New Identity.
I think I like the general idea of doing a more aggressive cleaning (from time to time) in the profile directory in particular if users are requesting a New Identity. I am not sure yet, though, whether we want to have this mechanism during New Identity as this one is usually more concerned with stuff that is risk exposing previous browsing sessions to *web content*. Which is clearly not the case for worries about the profile directory which are concerned with a local attacker.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40980NoScript XSS user choices are persisted2023-01-05T16:24:12ZTracNoScript XSS user choices are persistedWhenever user chooses 'Always allow' or 'Always block' in one of the NoScript XSS popups the setting is persisted in `storage-sync.sqlite` file and this is never cleared on browser startup as the rest of NoScript preferences.
The full p...Whenever user chooses 'Always allow' or 'Always block' in one of the NoScript XSS popups the setting is persisted in `storage-sync.sqlite` file and this is never cleared on browser startup as the rest of NoScript preferences.
The full persisted object can be inspected via `about:debugging` -> Debug Noscript -> `browser.storage.sync.get('xssUserChoices')`.
I understand this is not intended behaviour, since NoScript default is to not persist user choices (clearing them up on browser start).
**Trac**:
**Username**: atacSponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40766disk avoidance: SSSS.txt is not sanitized on session close, records "some" si...2023-04-25T16:58:35ZThorindisk avoidance: SSSS.txt is not sanitized on session close, records "some" site URLS and timestamps### STR
- with TB closed (I used stable alpha), open `SiteSecurityServiceState.txt` (SSSS) in your profile, blank it, save it
- start TB
- go to https://firstlook.org/theintercept/
- I did this twice, the second time was with prioriti...### STR
- with TB closed (I used stable alpha), open `SiteSecurityServiceState.txt` (SSSS) in your profile, blank it, save it
- start TB
- go to https://firstlook.org/theintercept/
- I did this twice, the second time was with prioritized onions but IDThink it matters since the https site has to load first anyway
- close TB (this forces writes to SSSS and will save you lots of time)
- open SSSS
- it contains timestamps and HSTS site info
here's mine
```
versioncheck-bg.addons.mozilla.org:HSTS 0 18988 1640586546830,1,0,2
o.prod.theintercept.com:HSTS 0 18988 1640673010997,1,1,2
aus1.torproject.org:HSTS 0 18988 1656354740558,1,0,2
theintercept.com:HSTS 0 18988 1656354609146,1,1,2
```
I don't think privileged/system ones from extensions/apps matter, but websites being listed is an issue IMO. I loaded about a dozen websites (including intercept and torproject prioritizing onions), and this was the only one that landed [1]
In my test suite, all the Firefox SSSS's are blanked because all my FF profiles are set to sanitize on close and the one HSTS is linked to is "site settings" - however, that is not available in options when in TB which uses PB Mode (and I doubt the prefs would work anyway)
[1] which is weird because I included TZP in that and TZP was listed in some of my TB test suite profiles so IDK who/how/what gets written there - it seems to only ever be eTLD/+1's, never third parties
[2] see image my test suite - the TB ones are now blank, because I did that before testing, so I can't look anything up retro-actively (and I only ever use these to load TZP), but given I can STR I don't care :smile: But I do have 34 up-to-date alphas for the other 34 languages should anyone want me to look
<details><summary> [2] click me for long image</summary><p>
sorry, I am too lazy to edit it, scroll to the end to see the TB entries, clearly been happening since at least ESR60-based
![hmmm](/uploads/e5597eba659506e5468548ff001192ab/hmmm.png)
</p></details>Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23664Deal with UUID for content sandbox temp folder on Windows and Mac2024-01-05T16:08:12ZGeorg KoppenDeal with UUID for content sandbox temp folder on Windows and Maccomment:56:ticket:16010 mentioned:
```
Very important side issue is that the sandboxing feature adds `security.sandbox.content.tempDirSuffix` pref which is a 128-bit GUID that allows to uniquely identify your copy of Tor Browser. It is p...comment:56:ticket:16010 mentioned:
```
Very important side issue is that the sandboxing feature adds `security.sandbox.content.tempDirSuffix` pref which is a 128-bit GUID that allows to uniquely identify your copy of Tor Browser. It is persistent and leaves unique traces on every machine you use in system %TEMP% folder.
```
We should find a good way dealing with that. Maybe a first start is to set the pref, so that every Windows user has the same sandbox temp dir name.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42462investigate mpris + disk data2024-03-16T18:53:58ZThorininvestigate mpris + disk dataAFAICT [this](https://searchfox.org/mozilla-central/search?q=mpris&path=&case=false&regexp=false) is a linux (gtk?) thing - and at least with `media.hardwaremediakeys.enabled` creates video thumbnails - I have not tested or verified
cc ...AFAICT [this](https://searchfox.org/mozilla-central/search?q=mpris&path=&case=false®exp=false) is a linux (gtk?) thing - and at least with `media.hardwaremediakeys.enabled` creates video thumbnails - I have not tested or verified
cc @pierovhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42418TorBrowser leave trace on the Windows Event Log by default and there is no wa...2024-03-05T13:50:25ZcypherpunksTorBrowser leave trace on the Windows Event Log by default and there is no way to stop this!To be clear, Mozilla Firefox does same thing.
Steps.
1. Launch Tor Browser latest
2. Open "eventvwr.ms" (The event viewer of Windows)
3. Open "Windows Logs/Application"
You'll see tons of:
```
The description for Event ID 5 from sourc...To be clear, Mozilla Firefox does same thing.
Steps.
1. Launch Tor Browser latest
2. Open "eventvwr.ms" (The event viewer of Windows)
3. Open "Windows Logs/Application"
You'll see tons of:
```
The description for Event ID 5 from source Tor Browser Launcher cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42371ESR128: rethink/check new identity2024-01-18T15:10:11ZThorinESR128: rethink/check new identityWhen ESR128 comes round there will be data written to disk (in PBM) that needs to be sanitized/cleaned-up
cc @pierovWhen ESR128 comes round there will be data written to disk (in PBM) that needs to be sanitized/cleaned-up
cc @pierovhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42255lock pdfjs.disabled to false in stable2024-01-09T14:37:09ZThorinlock pdfjs.disabled to false in stablein FF116 [1838415](https://bugzilla.mozilla.org/show_bug.cgi?id=1838415) in [Don't spoof explicitly disabled pdfJS](https://phabricator.services.mozilla.com/D180938) RFP no longer ignores the pref `pdfjs.disabled`. The original RFP prote...in FF116 [1838415](https://bugzilla.mozilla.org/show_bug.cgi?id=1838415) in [Don't spoof explicitly disabled pdfJS](https://phabricator.services.mozilla.com/D180938) RFP no longer ignores the pref `pdfjs.disabled`. The original RFP protection was done to help against disk leaks and to provide a uniform fingerprint [1]
Given these two aspects, we should just lock the pref in stable release
[1] There are only two possible values for combined plugins, mimeTypes and pdfViewerEnabledhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42220Flip all the possible preferences to prevent any automatic download2023-11-01T18:10:30ZPier Angelo VendrameFlip all the possible preferences to prevent any automatic downloadWe should make sure that no automatic downloads happens.
In normal Firefox for example the webp images from our blog are downloaded automatically when you open them in new tabs.
Also, I think we could force our browsers to ignore [`Con...We should make sure that no automatic downloads happens.
In normal Firefox for example the webp images from our blog are downloaded automatically when you open them in new tabs.
Also, I think we could force our browsers to ignore [`Content-disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) (maybe we already do it, I haven't checked).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42051Disable background downloading in private browsing mode2023-12-04T15:02:43ZrichardDisable background downloading in private browsing modeUpstream: https://bugzilla.mozilla.org/show_bug.cgi?id=438905
It is unexpected behaviour and a disk leak for downloads to start downloading *before* a user has actually agreed to a download. We should disable this feature when private b...Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=438905
It is unexpected behaviour and a disk leak for downloads to start downloading *before* a user has actually agreed to a download. We should disable this feature when private browsing mode is enabled.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41988Tor Browser history leaked to syslogs via GNOME2023-12-18T13:51:55ZhonortonTor Browser history leaked to syslogs via GNOME### Summary
Tab titles are sometimes logged by GNOME to `/var/log/syslog`, effectively causing browsing habits to persist on the system, even after closing Tor Browser. As Tor Browser does not save history by default, many users will not...### Summary
Tab titles are sometimes logged by GNOME to `/var/log/syslog`, effectively causing browsing habits to persist on the system, even after closing Tor Browser. As Tor Browser does not save history by default, many users will not expect this.
### Steps to reproduce:
1. Open a new Tor Browser window.
2. (optional) "Connect" to the Tor network and navigate to an arbitrary website.
3. Press the Super key (default) to open the GNOME activities menu.
4. Review syslog via `cat /var/log/syslog | grep -i "browser"`
### What is the current bug behavior?
I see results containing Tor Browser tab titles, such as the titles of opened websites.
### What is the expected behavior?
I expect not to see my visited website titles in any system file without my authorization.
More strongly, I don't expect GNOME (which may log all sorts of things) to require access to my visited website titles.
### Environment
- OS Version: Pop! OS 22.04
- GNOME Shell Version: 3.38.6
- Tor Browser Version: 12.5.2
- Tor Browser Installation Method: "Linux" binary from `https://www.torproject.org/download/`
### Relevant logs and/or screenshots
```
[/var/log/syslog]
[snip]
Aug 9 11:23:52 pop-os gnome-shell[2864]: Couldn't find child [0x5558d69f7880 Gjs_ui_windowPreview_WindowPreview ("cute cats at DuckDuckGo — Tor Browser")] in window slots
Aug 9 11:23:53 pop-os gnome-shell[2864]: Couldn't find child [0x5558d69f7880 Gjs_ui_windowPreview_WindowPreview:first-child last-child ("cute cats at DuckDuckGo — Tor Browser")] in window slots
Aug 9 11:27:28 pop-os gnome-shell[2864]: Couldn't find child [0x5558da9ea870 Gjs_ui_windowPreview_WindowPreview:first-child last-child ("[Wayland] [3.38.3] Shell freezes/stops reacting to most input (#3706) · Issues · GNOME / gnome-shell · GitLab — Tor Browser")] in window slots
Aug 9 11:27:31 pop-os gnome-shell[2864]: Couldn't find child [0x5558da9ea870 Gjs_ui_windowPreview_WindowPreview:first-child last-child ("[Wayland] [3.38.3] Shell freezes/stops reacting to most input (#3706) · Issues · GNOME / gnome-shell · GitLab — Tor Browser")] in window slots
[snip]
```Pier Angelo VendramePier Angelo Vendrame2023-11-13https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41897Password saved while not in PBM are hidden but not deleted while in PBM (can ...2023-11-13T17:15:44Zma1Password saved while not in PBM are hidden but not deleted while in PBM (can be recovered by disabling PBM back)Copy-pasting from HackerOne report n. 2070150, setting confidential initially for triaging but I personally don't think it should be hidden, even though worth discussing (maybe we should actually nuke all storage, including passwords, ev...Copy-pasting from HackerOne report n. 2070150, setting confidential initially for triaging but I personally don't think it should be hidden, even though worth discussing (maybe we should actually nuke all storage, including passwords, every time PBM is flipped).
Also, could reproduce on 102.x but cannot reproduce on 115 because saving passwords seems broken there. You click "Save" but the same exception as cancelling is thrown:
```
NS_ERROR_ABORT: User canceled primary password entry
encrypt resource://gre/modules/crypto-SDR.sys.mjs:87
_encryptLogin resource://gre/modules/storage-json.sys.mjs:825
addLogin resource://gre/modules/storage-json.sys.mjs:186
addLogin resource://gre/modules/LoginManager.sys.mjs:323
persistData resource://gre/modules/LoginManagerPrompter.sys.mjs:441
callback resource://gre/modules/LoginManagerPrompter.sys.mjs:531
_onButtonEvent resource://gre/modules/PopupNotifications.sys.mjs:1928
oncommand chrome://browser/content/browser.xhtml:1
PopupNotifications.sys.mjs:1934:17
_onButtonEvent resource://gre/modules/PopupNotifications.sys.mjs:1934
oncommand chrome://browser/content/browser.xhtml:1
```
Depending on how we feel about the password manager in general, will open another issue for that or one to disable/hide it completely.
/cc @richard, @pierov
**Recover passwords stored when private browsing mode was disabled, after re-enabling private browsing mode and about:logins stating no login credentials exist.**
**Steps To Reproduce:**
Machine used: MacBook Pro 2020 M1
Download Tor Browser (Latest Version) for Mac OS (Latest Version: Ventura 13.4.1)
Enable ‘Always connect automatically’ and click ‘Connect’
Navigate to about:preferences#privacy
Disable ‘Always use private browsing mode’ and restart the browser when prompted.
Navigate to about:logins
Click ‘Create New Login’ and enter ‘eff.org’ into the Website address, ‘test’ into the Username, and ‘test’ into the Password. Then click save.
Navigate to about:preferences#privacy
Enable ‘Always use private browsing mode’ and restart the browser when prompted.
Navigate to about:logins and verify there are no passwords stored.
Navigate to about:preferences#privacy
Disable ‘Always use private browsing mode’ and restart the browser when prompted.
Navigate to about:logins
You can now view the login to eff.org and password, which you thought had been deleted.
**Actual behaviour:** Login credentials that were created when private browsing mode was disabled can be recovered, even after re-enabling private browser mode and the about:logins displaying no login credentials exist in Tor Browser.
**Expected behaviour:** Login credentials automatically clear when re-enabling private browser mode, after creating login credentials with private browser mode disabled.
**Impact**
An attacker could recover any passwords that the user stored when private browsing was disabled, even if a user re-enabled private browsing. The user may verify about:logins and assume their logins have been deleted, which may not be true. This attack assumes an attacker has full access and control of a users device.ma1ma1