#21792 closed defect (fixed)

Make sure MediaError.message does not aid to fingerprinting

Reported by: gk Owned by: arthuredelstein
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, tbb-fingerprinting, tbb-7.0-must-alpha, TorBrowserTeam201705R
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

MediaError got a new property message that might contain system information, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1322606 and https://github.com/mdn/dom-examples/blob/master/media/mediaerror/main.js.

We should find out whether that's the case and if so probably just remove that part.

Child Tickets

Change History (16)

comment:1 Changed 18 months ago by gk

Keywords: tbb-7.0-must added

More tickets for 7.0.

comment:2 Changed 18 months ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting more tickets on our alpha radar.

comment:3 Changed 18 months ago by gk

Priority: MediumHigh

Moving the investigation tickets to higher priority.

comment:4 Changed 18 months ago by arthuredelstein

Keywords: TorBrowserTeam201704R added
Status: newneeds_review

A MediaError object contains a single field, MediaError.code, with one of four possible values:

Name 	                     Val  Description
MEDIA_ERR_ABORTED            1    The fetching of the associated resource was aborted by the user's request.
MEDIA_ERR_NETWORK            2    Some kind of network error occurred which prevented the media from being successfully fetched, despite having previously been available.
MEDIA_ERR_DECODE             3    Despite having previously been determined to be usable, an error occurred while trying to decode the media resource, resulting in an error.
MEDIA_ERR_SRC_NOT_SUPPORTED  4    The associated resource or media provider object (such as a MediaStream has been found to be unsuitable.

Checking for a MEDIA_ERR_DECODE or MEDIA_ERR_SRC_NOT_SUPPORTED error in principle might say something about the user's codecs. On the other hand, there are other very easy ways to test whether a Media Element is playing or not, so I'm not sure we are providing much additional protection by hiding these error codes. We would be wise to ensure that the available codecs are standardized for Tor Browser for each platform (Linux, Mac, Windows, Android).

Setting as review to see if my colleagues agree or disagree.

comment:5 in reply to:  4 ; Changed 18 months ago by mcs

Replying to arthuredelstein:

A MediaError object contains a single field, MediaError.code, with one of four possible values:
...

What about the message field? Is it always an empty string?

comment:6 in reply to:  5 Changed 18 months ago by arthuredelstein

Replying to mcs:

Replying to arthuredelstein:

A MediaError object contains a single field, MediaError.code, with one of four possible values:
...

What about the message field? Is it always an empty string?

Ugh, it seems I somehow got confused -- I realize now the main concern of this ticket is the message property, not the code property. I'll look into the message property.

comment:7 Changed 18 months ago by arthuredelstein

Owner: changed from tbb-team to arthuredelstein
Status: needs_reviewaccepted

comment:8 Changed 18 months ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201704R removed

comment:9 Changed 18 months ago by arthuredelstein

Keywords: TorBrowserTeam201704R added; TorBrowserTeam201704 removed
Status: acceptedneeds_review

I did a lot of exploration of the code that generates MediaError.messages. I didn't find any that seemed likely to reveal any system information. On the other hand, I may have missed a case, and I can imagine more privacy-violating messages might be introduced in the future. So, to be safe, I wrote a patch that censors any messages when "privacy.resistFingerprinting" is enabled:

https://github.com/arthuredelstein/tor-browser/commit/21792

comment:10 in reply to:  4 Changed 18 months ago by cypherpunks

Replying to arthuredelstein:

Checking for a MEDIA_ERR_DECODE or MEDIA_ERR_SRC_NOT_SUPPORTED error in principle might say something about the user's codecs.

7.0a3 ends up with

[...] Error playing media:  MediaError { code: 4, message: "" } jwplayer.js:4:291

for any media, blocked by NoScript. message field looks like human-readable description of code field (not implemented by jwplayer yet?).

Last edited 18 months ago by cypherpunks (previous) (diff)

comment:11 Changed 18 months ago by gk

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201704R removed

Moving review tickets to May.

comment:12 Changed 18 months ago by mcs

Cc: brade mcs added

Your patch looks okay, although it would be safer to return an empty string in aResult in the privacy.resistFingerprinting = true case.

comment:13 in reply to:  12 ; Changed 18 months ago by gk

Keywords: TorBrowserTeam201705 added; TorBrowserTeam201705R removed
Status: needs_reviewneeds_revision

Replying to mcs:

Your patch looks okay, although it would be safer to return an empty string in aResult in the privacy.resistFingerprinting = true case.

I agree. Could you please change that, Arthur?

comment:14 in reply to:  13 ; Changed 18 months ago by arthuredelstein

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201705 removed
Status: needs_revisionneeds_review

Replying to gk:

Replying to mcs:

Your patch looks okay, although it would be safer to return an empty string in aResult in the privacy.resistFingerprinting = true case.

I agree. Could you please change that, Arthur?

Yes, good point. Here is the changed patch:
https://github.com/arthuredelstein/tor-browser/commit/21792+1

comment:15 in reply to:  14 Changed 18 months ago by mcs

Replying to arthuredelstein:

Yes, good point. Here is the changed patch:
https://github.com/arthuredelstein/tor-browser/commit/21792+1

r=brade, r=mcs
Looks good.

comment:16 Changed 18 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, applied to tor-browser-52.1.0esr-7.0-2 as commit 58d186df19450f9aef0423c71e78f6eaa17679f8.

Note: See TracTickets for help on using tickets.