Opened 10 months ago

Last modified 10 months ago

#28374 new defect

ensure RequestStorageId cannot be accessed remotely

Reported by: mcs Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, ff60-esr
Cc: Actual Points:
Parent ID: #28147 Points:
Reviewer: Sponsor:

Description

In https://bugzilla.mozilla.org/show_bug.cgi?id=1420836 (for Firefox 59), Mozilla added a GMP API that appears to return a machine identifier (maybe based on MAC address). Is there any chance this could be accessed by a remote site and used as a unique fingerprint? Or do we disable enough of EME/GMP code that this is not a concern?

Child Tickets

Change History (2)

comment:1 Changed 10 months ago by tom

Because this is an IPC method not available to Web Content, there doesn't seem to be any wiring to provide this to an actual website (especially with EME disabled.)

However, there probably isn't anything that intentionally stops a compromised content process from getting this data. (although it might not work just because EME is disabled, but I'm unsure.)

I recommend we make this one of the bugs blocking #28147 and tackle it as part of future 'harden the content process' work.

comment:2 Changed 10 months ago by gk

Parent ID: #28147
Note: See TracTickets for help on using tickets.