Opened 4 years ago

Closed 4 years ago

#14560 closed defect (duplicate)

Tor Browser: Font probing vulnerability using dynamically generated iframes

Reported by: Peter_Baumann_TUD Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:



I'm a computer science student at TU Darmstadt, Germany, and as a part of my Master Thesis about the development of browser fingerprinting countermeasures I examined the anti-fingerprinting capabilities of Tor Browser. As a result of this examination I found a flaw in the protection against font probing that can be used to probe for an inexhaustible amount of fonts. I developed a small JavaScript application that can test for more than 600 fonts in less than a second (see attached). This vulnerability poses a risk to a user's privacy, as it can potentially be used to track users over the course of several browser sessions and among various websites.


Tor browser limits the total number of fonts that can be used in a document. By default, a document can use 10 fonts. So if a fingerprinter tries to probe for more than 10 fonts, he only gets reported that these fonts are missing.
However, this design has a flaw, as it didn't consider that iframes also have their own document body. Therefore, in order to circumvent this limitation, a fingerprinting script might dynamically generate an iframe for each package of 10 fonts, probe for their existence, until all fonts have been probed for.

Note: The maximum number of possible fonts can be changed by the user. The fingerprinting script could easily probe for this threshold, as I found out that an already loaded font can't be loaded again, once this limit is reached.

The script:

I implemented a small script based on this observation. It creates iframes and probes for 10 fonts, using HTML 5 canvas element and the function measureText() provided by JavaScript. I assume that this approach also works with the classical implementation using CSS + JS, but I leave the experiments to some one else.
For the script and a screenshot see the appended files.

Child Tickets

Attachments (2)

tor_font_probing.html (9.5 KB) - added by Peter_Baumann_TUD 4 years ago.
Font probing script
torflaw.png (248.2 KB) - added by Peter_Baumann_TUD 4 years ago.

Download all attachments as: .zip

Change History (3)

Changed 4 years ago by Peter_Baumann_TUD

Attachment: tor_font_probing.html added

Font probing script

Changed 4 years ago by Peter_Baumann_TUD

Attachment: torflaw.png added

comment:1 Changed 4 years ago by gk

Keywords: tbb-fingerprinting added; Fingerprinting removed
Resolution: duplicate
Status: newclosed
Version: Tor: unspecified

Yes, this is a known issue. See: #12150 and comment:13:ticket:5798. Marking this as a duplicate.

Note: See TracTickets for help on using tickets.