Security/privacy hole (?) New Tor session comes back with same cookies from last Tor session after latter closed

[aleqx]

Using 1.19.46 beta on Windows x64. It feels major enough to be something intended, but can't see why this would ever be intended behavior from a security/privacy perspective and the whole point behind having Tor sessions in Brave (with a new IP every time). Consider this:

• start a tor session, get a new IP
• login to website A, get some cookies from it
• close tor session
• start a new tor session, get a new IP
• login to the same website A, cookies from first tor session are still there and sent to the website (login session still active on website A)

I believe cookies should be wiped when closing down the Private Tor window, just as they are when closing down a normal Private window.

I can't clear them either after starting a new Tor session, because Ctrl-Shift-Delete doesn't work in Tor private windows.

If not, then getting a new IP is rather pointless ... what am I missing?

[darkdh]

It is a bug introduced by brave/brave-core#7069 and it will get fixed by this upstream commit (https://chromium-review.googlesource.com/c/chromium/src/+/2434925/6/chrome/browser/ui/browser.cc#605) when we upgrade to C88. We just landed C88 upgrade PR in master

[aleqx]

So no bounty for me then, darn :)

[darkdh]

fixed by brave/brave-core#6957

[darkdh]

Test plan:

1. Open Tor window
2. Visit http://www.whatarecookies.com/cookietest.asp
3. Refresh the page, you should see the website knows you visited two times by cookie
4. Close Tor window
5. Open Tor window and visit http://www.whatarecookies.com/cookietest.asp again
6. The page shows a new cookie is created

or use the STR @aleqx reported

[aleqx]

fixed by brave/brave-core#6957

how long till that makes into brave beta?

[darkdh]

cc @bsclifton

[bsclifton]

@aleqx Stable will get Chromium 88 on January 19th- Beta will get earlier. We're working out bugs on Nightly at the moment and there's a big refactor that we need to pull in. I'd expect by late December / early January we should have something on Beta 😄

[kjozwiak]

Moving this into 1.19.x as per #13113 (comment) but labelled as QA/No as this will need a 1.19.x with C88 👍

[LaurenWags]

Removing QA/Blocked as 1.19.82 is available with Chromium 88.

[LaurenWags]

Verified passed with

Brave	1.19.82 Chromium: 88.0.4324.79 (Official Build) dev (x86_64)
Revision	bd1e9353659b2491dac971226a973ca3b5684a14-refs/branch-heads/4324@{#1520}
OS	macOS Version 10.15.7 (Build 19H15)

Reproduced issue using STR from #13113 (comment) on 1.19.x version with Chromium 87:

Brave	1.19.81 Chromium: 87.0.4280.141 (Official Build) dev (x86_64)
Revision	9f05d1d9ee7483a73e9fe91ddcb8274ebcec9d7f-refs/branch-heads/4280@{#2007}
OS	macOS Version 10.15.7 (Build 19H15)

Re-ran STR from #13113 (comment) on clean and upgraded profiles using 1.19.82. Confirmed new cookie was created with second Tor window as expected.

---

Verification passed on

Brave	1.19.82 Chromium: 88.0.4324.79 (Official Build) dev (64-bit)
Revision	bd1e9353659b2491dac971226a973ca3b5684a14-refs/branch-heads/4324@{#1520}
OS	Ubuntu 18.04 LTS

Reproduced the issue with 1.19.81.

Verified test plan from #13113 (comment) on clean and upgraded profiles. Verified new cookie was created with second Tor window as expected.

---

Verification passed on

Brave | 1.19.83 Chromium: 88.0.4324.79 (Official Build) (64-bit)
-- | --
Revision | bd1e9353659b2491dac971226a973ca3b5684a14-refs/branch-heads/4324@{#1520}
OS | Windows 10 OS Version 2004 (Build 19041.685)

• Reproduced the issue with 1.19.81 dev build
• Verified test plan from Security/privacy hole (?) New Tor session comes back with same cookies from last Tor session after latter closed #13113 (comment) on clean and upgraded profiles. Verified new cookie was created with second Tor window as expected.