Opened 5 months ago

Closed 7 weeks ago

#30800 closed defect (fixed)

ftp:// on Windows can be used to leak the system time zone

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, TorBrowserTeam201909R, GeorgKoppen201909
Cc: acat Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

z3t reported via HackerOne that the system time zone on Windows can get leaked by using ftp://.

When using the ftp:// protocol, directory listings contain timestamps converted to the system timezone.. These timestamps can be extracted by a script on a same-origin FTP hosted HTML page, allowing detection of a user's system timezone.

Child Tickets

Change History (14)

comment:1 Changed 5 months ago by Thorin

duplicate of #30427 ?

comment:2 in reply to:  1 Changed 5 months ago by gk

Replying to Thorin:

duplicate of #30427 ?

I don't think so. The time zone is *not* leaking on non-Windows platforms while the UI locale is leaking on all we support.

comment:3 Changed 4 months ago by acat

I'm curious, how is it possible to read contents of ftp from a webpage? I tried an iframe, but cannot access, it's a RestrictedWindow... Was there a PoC in the original HackerOne report?

comment:4 Changed 4 months ago by Thorin

comment:5 in reply to:  3 Changed 4 months ago by tom

Replying to acat:

I'm curious, how is it possible to read contents of ftp from a webpage? I tried an iframe, but cannot access, it's a RestrictedWindow... Was there a PoC in the original HackerOne report?

http://ritter.vg is not same origin to ftp://ritter.vg but if you go to ftp://ritter.vg/example.html that will show a webpage that can then iframe ftp://ritter.vg/uploads/ and they are same origin so it can read the directory contents.

(Addresses illustrative only)

comment:6 Changed 4 months ago by gk

Keywords: TorBrowserTeam201907R GeorgKoppen201907 added
Status: newneeds_review

bug_30800 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_30800&id=b21da86362c76a231901e6733adee7512579ff06) has the backport to esr60 of Gary's patch. It fixes the problem for me, nice work! I am still not sure about why only Windows is affected to begin with, though, but did not dig deeper into the code yet.

I guess we could try to test what we have in the alpha, provided the patch looks good to us?

comment:7 Changed 4 months ago by acat

I'm quite sure Gary said there was something missing/wrong in the patch in the uplift meeting, so I asked him about this (waiting for response). Meanwhile, by looking at it and trying an unpatched Firefox in Windows, I can see that one of the columns has a uint64 timestamp that seems to be timezone dependent (and that I think the patch is not addressing). It's the sortable-data property of the 3rd column, not visible. So this might be the issue Gary mentioned.

Besides, I'm not sure why we could not use UTC instead of GMT when resistfingerprinting is on (at least that's the behaviour on Linux for me, and it does not leak the timezone).

comment:8 Changed 4 months ago by acat

Besides, I'm not sure why we could not use UTC instead of GMT when resistfingerprinting is on (at least that's the behaviour on Linux for me, and it does not leak the timezone).

Sorry, obviously this does not make any sense since they are synonyms, forget about it :)

comment:9 Changed 4 months ago by acat

Status: needs_reviewneeds_revision

comment:10 Changed 4 months ago by cypherpunks

FWIW, UTC and GMT are not synonyms. RFP uses UTC.

comment:11 Changed 4 months ago by gk

Keywords: TorBrowserTeam201907 added; TorBrowserTeam201907R removed

comment:12 Changed 7 weeks ago by gk

Cc: acat added
Keywords: TorBrowserTeam201909R GeorgKoppen201909 added; TorBrowserTeam201907 GeorgKoppen201907 removed
Status: needs_revisionneeds_review

That landed recently on mozilla-central. Thus, I think we are good now? bug_30800_v2 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_30800_v2&id=a2e76dee549c9efb60bfa13c0e6e4e5f8b5edd76) has the backport for review.

comment:13 Changed 7 weeks ago by acat

Looks good to me.

comment:14 Changed 7 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Merged to tor-browser-68.1.0esr-9.0-2 (commit a2e76dee549c9efb60bfa13c0e6e4e5f8b5edd76).

Note: See TracTickets for help on using tickets.