Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

When built-in password manager is opened, Brave connects to all sites in the list in order to fetch favicon data #42955

Closed
3 of 6 tasks
Brave-Matt opened this issue Dec 18, 2024 · 4 comments · Fixed by brave/brave-core#27066
Closed
3 of 6 tasks

When built-in password manager is opened, Brave connects to all sites in the list in order to fetch favicon data #42955

Brave-Matt opened this issue Dec 18, 2024 · 4 comments · Fixed by brave/brave-core#27066
Assignees
@goodov
Labels
feature/password-manager OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy QA Pass-Win64 QA/Yes release-notes/include
Milestone
1.75.x - Release

Comments

@Brave-Matt
Copy link

Description

A user recently brought to our attention that the Password manager in the browser will connect to all the sites in the list of saved passwords when the brave://password-manager/passwords page is opened. It appears to do this simply to fetch the favicons for those sites to be displayed on the page.

While these connections are not malicious/nefarious, it is certainly not a great look given Brave's stance on privacy. It is at least worth discussing changing this behavior and/or removing the favicons from the page so that that these connections are not made.

cc @fmarier

Steps to reproduce

  1. Launch network analyzer (mitmproxy, little snitch, wireshark, etc)
  2. Launch Brave, open password manager page
  3. Observe browser connecting to each site

Actual result

Brave connects to all site in the list

Expected result

Brave should not connect to these sites every time

Reproduces how often

Easily reproduced

Brave version (brave://version info)

1.73.101

Channel information

  • release (stable)
  • beta
  • nightly

Reproducibility

  • with Brave Shields disabled
  • with Brave Rewards disabled
  • in the latest version of Chrome

Miscellaneous information

Original user report:
https://community.brave.com/t/brave-needs-to-stop-contacting-every-website-in-my-password-manager/587282/3
@github-project-automation github-project-automation bot moved this to Untriaged Backlog in Security & Privacy Dec 18, 2024
@rebron
Copy link
Collaborator

rebron commented Dec 18, 2024

cc: @goodov

@rebron rebron added QA/Yes priority/P3 The next thing for us to work on. It'll ride the trains. release-notes/include labels Dec 18, 2024
@goodov
Copy link
Member

goodov commented Dec 19, 2024
edited
Loading

https://chromium-review.googlesource.com/c/chromium/src/+/4032157

the added cr-auto-img element logic needs to be disabled, favicon div should be the main source of the icon (it only uses locally-cached icons).

Image

@goodov
Copy link
Member

goodov commented Dec 19, 2024
edited
Loading

cc @fallaciousreasoning any chance someone more familiar with webui overrides can pick this up?

brave/brave-core#27066

@goodov goodov mentioned this issue Dec 19, 2024
Merged
24 tasks
@github-project-automation github-project-automation bot moved this from Untriaged Backlog to Completed in Security & Privacy Dec 20, 2024
@brave-builds brave-builds added this to the 1.75.x - Nightly milestone Dec 20, 2024
@MadhaviSeelam
Copy link

MadhaviSeelam commented Jan 30, 2025
edited
Loading

Verification PASSED using

Brave | 1.75.171 Chromium: 132.0.6834.160 (Official Build) (64-bit)
-- | --
Revision | d4d146998a285171ea57c3b75c52c7819901571a
OS | Windows 11 Version 24H2 (Build 26100.2894)

Reproduced the issue in 1.73.101 Chromium: 131.0.6778.139 (Official Build) (64-bit) using the STR from #42955 (comment)

example example
Image Image

Confirmed no connections are shown when built-in password manager is opened

example example
Image Image

@LaurenWags LaurenWags mentioned this issue Feb 5, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@goodov goodov

Labels
feature/password-manager OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy QA Pass-Win64 QA/Yes release-notes/include
Projects
Security & Privacy
Status: Completed
Milestone
1.75.x - Release
Development

Successfully merging a pull request may close this issue.

Prevent external favicons fetch on password manager page. brave/brave-core
5 participants
@Brave-Matt @goodov @rebron @brave-builds @MadhaviSeelam