Opened 4 months ago

Last modified 5 weeks ago

#29745 new defect

Exposed chrome:// resources allow browser version and OS detection [Bug 1534581]

Reported by: flngerprlnt Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The default permissions defined in the chrome.manifest file allow specific paths to be called from any web page. For example, chrome://browser/content/* or chrome://global/content/*.

For references see https://bugzilla.mozilla.org/show_bug.cgi?id=1534581

Child Tickets

Attachments (1)

demo2.png (373.0 KB) - added by flngerprlnt 4 months ago.
Detection examples and code inspection

Download all attachments as: .zip

Change History (4)

Changed 4 months ago by flngerprlnt

Attachment: demo2.png added

Detection examples and code inspection

comment:1 Changed 4 months ago by gk

Component: - Select a componentApplications/Tor Browser
Keywords: tbb-fingerprinting added; version os detection fingerprinting chrome resources removed
Owner: set to tbb-team
Priority: MediumHigh

comment:2 Changed 6 weeks ago by Thorin

From upstream, that this can also leak the app language: see [1]. Leaking browser version is not an issue, all TB users should be on the same ESR cycle - and you can't defeat feature detection anyway. Detecting OS is trivial as well (for now)

Suggest changing the title, and keyword => tbb-fingerprinting-locale . As it happens, I checked the contents of chrome://global/locale/intl.css in all 30 language packs, and I've lost my notes on them: about 6 or 7 have extra css rules which could be used: namely that French one, LTR languages, and from memory, a couple of non-Latin languages such as Japanese. Of course, there may be other chrome:// files that leak more entropy.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1534581#c21

comment:3 Changed 5 weeks ago by Thorin

Not sure if it's worthwhile opening a new ticket: but the default proportional font (serif or sans-serif) is (semi-)detectable and it seems as if zh-TW is the only one to return sans-serif

Is this something that was missed: For example: the default proportional font in ja and he is sans-serif, but the PoC returns serif

window.getComputedStyle(document.body,null).getPropertyValue("font-family")

[1] PoC: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#fonts

On the plus side: all 30 packs return sizes 16 (proportional) and 13 (monospace) regardless of the settings in Language & Appearance > Advanced

Note: See TracTickets for help on using tickets.