Opened 4 months ago

Last modified 4 months ago

#30436 needs_information defect

Visit duration tracking possible in TorBrowser using a favicon which downloads from a server using a connection that's never closed

Reported by: ehsan.akhgari@… Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The attack scenario is described here https://twitter.com/davywtf/status/951203191944773632.

The code sample can be found at https://github.com/wybiral/tracker.

Child Tickets

Change History (1)

comment:1 Changed 4 months ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

So, right now I wonder what we should do here and what the threat is. It does seem to me that this technique is a problem for cross-origin tracking with identifiers which we try to defend with First Party Isolation against. But it does not seem to be a fingerprinting technique either.

Moreover, what's the threat here? A malicious first party domain a user is interacting with. What would it gain by measuring the page visit time with that technique? How would it single out me be it either during a particular session of across sessions with _just_ the scenario described in the links in your description (however, I admit this is a neat idea :) ).

Note: See TracTickets for help on using tickets.