Opened 4 years ago

Closed 4 years ago

#14560 closed defect (duplicate)

Tor Browser: Font probing vulnerability using dynamically generated iframes

Reported by: Peter_Baumann_TUD Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hello,

I'm a computer science student at TU Darmstadt, Germany, and as a part of my Master Thesis about the development of browser fingerprinting countermeasures I examined the anti-fingerprinting capabilities of Tor Browser. As a result of this examination I found a flaw in the protection against font probing that can be used to probe for an inexhaustible amount of fonts. I developed a small JavaScript application that can test for more than 600 fonts in less than a second (see attached). This vulnerability poses a risk to a user's privacy, as it can potentially be used to track users over the course of several browser sessions and among various websites.

Description:

Tor browser limits the total number of fonts that can be used in a document. By default, a document can use 10 fonts. So if a fingerprinter tries to probe for more than 10 fonts, he only gets reported that these fonts are missing.
However, this design has a flaw, as it didn't consider that iframes also have their own document body. Therefore, in order to circumvent this limitation, a fingerprinting script might dynamically generate an iframe for each package of 10 fonts, probe for their existence, until all fonts have been probed for.

Note: The maximum number of possible fonts can be changed by the user. The fingerprinting script could easily probe for this threshold, as I found out that an already loaded font can't be loaded again, once this limit is reached.

The script:

I implemented a small script based on this observation. It creates iframes and probes for 10 fonts, using HTML 5 canvas element and the function measureText() provided by JavaScript. I assume that this approach also works with the classical implementation using CSS + JS, but I leave the experiments to some one else.
For the script and a screenshot see the appended files.

Child Tickets

Attachments (2)

tor_font_probing.html (9.5 KB) - added by Peter_Baumann_TUD 4 years ago.
Font probing script
torflaw.png (248.2 KB) - added by Peter_Baumann_TUD 4 years ago.

Download all attachments as: .zip

Change History (3)

Changed 4 years ago by Peter_Baumann_TUD

Attachment: tor_font_probing.html added

Font probing script

Changed 4 years ago by Peter_Baumann_TUD

Attachment: torflaw.png added

comment:1 Changed 4 years ago by gk

Keywords: tbb-fingerprinting added; Fingerprinting removed
Resolution: duplicate
Status: newclosed
Version: Tor: unspecified

Yes, this is a known issue. See: #12150 and comment:13:ticket:5798. Marking this as a duplicate.

Note: See TracTickets for help on using tickets.