Opened 4 years ago

Closed 4 years ago

#16267 closed defect (fixed)

NoCaptcha Recaptcha is not working because of canvas fingerprint blocking

Reported by: szgal Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-usability-website
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Now, the browser is blocking canvas fingerprinting. But the new ReCaptcha is not working without it. When I try to solve a NoCaptcha on any site EXCEPT google.com, there is no dialog asking whether to allow reading the canvas, it simply fails. I know what I need to select, but I cannot see the pictures.
Repro steps:

  1. Run newest TOR browser
  2. Visit a page with recaptcha, like this: http://www.codediesel.com/demos/google-recaptcha/
  3. Try to solve

Interestingly, it works on Google's page: http://www.google.com/recaptcha/api2/demo
Not-so-good workaround: Open network inspector, click checkbox, look for something like "payload" in network inspector, view response. Now you can see the images.
Workaround requiring modifications (I would like to have this option even if this bug is fixed): Allow user to disable canvas read blocking.

Child Tickets

Attachments (1)

rcfix.js (2.0 KB) - added by cypherpunks 4 years ago.
Fix for reCaptcha

Download all attachments as: .zip

Change History (9)

comment:1 Changed 4 years ago by gk

Keywords: tbb-usability-website added
Milestone: TorBrowserBundle 2.3.x-stable
Priority: majornormal

comment:2 Changed 4 years ago by cypherpunks

But the new ReCaptcha is not working without it.

I have examined its source code and I saw that it didn't use canvas fingerprinting. It uses canvas to draw an indicator (Android-like rotating circle).

Changed 4 years ago by cypherpunks

Attachment: rcfix.js added

Fix for reCaptcha

comment:3 Changed 4 years ago by mcs

I do not know enough about NoScript to evaluate the proposed fix. Kathy and I did examine this issue from a canvas fingerprinting perspective. It turns out that Google's JS code does access canvas data; it draws images to a canvas and then uses toDataUrl() to pull out the data. Unfortunately, Tor Browser blocks access without showing a prompt on pages such as the www.codediesel.com demo because of the third party relationship. The following was logged to the Browser Console (very long URL truncated for brevity):

On http://www.codediesel.com/demos/google-recaptcha/: blocked access to canvas image data from document https://www.google.com/recaptcha/api2/frame?c=03AHJ_VutAFy..., script from https://www.gstatic.com/recaptcha/api2/r20150604090638/recaptcha__en.js:268

comment:4 Changed 4 years ago by mcs

Cc: brade mcs added

comment:5 Changed 4 years ago by cypherpunks

it draws images to a canvas and then uses toDataUrl()

A, yeh, really.

I thinked a bit and now I know how to fix canvas fingerprinting for toDataUrl.

1 toDataUrl must return not data: URI, but a blob: URI. It won't break sites which use this URI to show the image to the user, but it will disallow to derive pixel data from it.
2 It must be only allowed to be used as an URI for image: in CSS, as src for IMG, etc. Using it in XHR or anything other than image must be disallowed.

comment:6 Changed 4 years ago by cypherpunks

I do not know enough about NoScript to evaluate the proposed fix.

noscript just evaluates this on every page matching the template.

user_pref("noscript.surrogate.recaptcha.sources", "!*");

means every page with blocked scripts

noscript.surrogate.recaptcha.replacement is the source to evaluate. It replaces script-based recaptcha with iframe based one.

comment:7 Changed 4 years ago by gk

Priority: normalmajor

comment:8 Changed 4 years ago by szgal

Resolution: fixed
Status: newclosed

Now working in old version too. Maybe google did something.

Note: See TracTickets for help on using tickets.