Opened 2 months ago

Last modified 6 weeks ago

#30800 needs_revision defect

ftp:// on Windows can be used to leak the system time zone

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, TorBrowserTeam201907, GeorgKoppen201907
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

z3t reported via HackerOne that the system time zone on Windows can get leaked by using ftp://.

When using the ftp:// protocol, directory listings contain timestamps converted to the system timezone.. These timestamps can be extracted by a script on a same-origin FTP hosted HTML page, allowing detection of a user's system timezone.

Child Tickets

Change History (11)

comment:1 Changed 2 months ago by Thorin

duplicate of #30427 ?

comment:2 in reply to:  1 Changed 2 months ago by gk

Replying to Thorin:

duplicate of #30427 ?

I don't think so. The time zone is *not* leaking on non-Windows platforms while the UI locale is leaking on all we support.

comment:3 Changed 7 weeks ago by acat

I'm curious, how is it possible to read contents of ftp from a webpage? I tried an iframe, but cannot access, it's a RestrictedWindow... Was there a PoC in the original HackerOne report?

comment:4 Changed 7 weeks ago by Thorin

comment:5 in reply to:  3 Changed 7 weeks ago by tom

Replying to acat:

I'm curious, how is it possible to read contents of ftp from a webpage? I tried an iframe, but cannot access, it's a RestrictedWindow... Was there a PoC in the original HackerOne report?

http://ritter.vg is not same origin to ftp://ritter.vg but if you go to ftp://ritter.vg/example.html that will show a webpage that can then iframe ftp://ritter.vg/uploads/ and they are same origin so it can read the directory contents.

(Addresses illustrative only)

comment:6 Changed 7 weeks ago by gk

Keywords: TorBrowserTeam201907R GeorgKoppen201907 added
Status: newneeds_review

bug_30800 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_30800&id=b21da86362c76a231901e6733adee7512579ff06) has the backport to esr60 of Gary's patch. It fixes the problem for me, nice work! I am still not sure about why only Windows is affected to begin with, though, but did not dig deeper into the code yet.

I guess we could try to test what we have in the alpha, provided the patch looks good to us?

comment:7 Changed 6 weeks ago by acat

I'm quite sure Gary said there was something missing/wrong in the patch in the uplift meeting, so I asked him about this (waiting for response). Meanwhile, by looking at it and trying an unpatched Firefox in Windows, I can see that one of the columns has a uint64 timestamp that seems to be timezone dependent (and that I think the patch is not addressing). It's the sortable-data property of the 3rd column, not visible. So this might be the issue Gary mentioned.

Besides, I'm not sure why we could not use UTC instead of GMT when resistfingerprinting is on (at least that's the behaviour on Linux for me, and it does not leak the timezone).

comment:8 Changed 6 weeks ago by acat

Besides, I'm not sure why we could not use UTC instead of GMT when resistfingerprinting is on (at least that's the behaviour on Linux for me, and it does not leak the timezone).

Sorry, obviously this does not make any sense since they are synonyms, forget about it :)

comment:9 Changed 6 weeks ago by acat

Status: needs_reviewneeds_revision

comment:10 Changed 6 weeks ago by cypherpunks

FWIW, UTC and GMT are not synonyms. RFP uses UTC.

comment:11 Changed 6 weeks ago by gk

Keywords: TorBrowserTeam201907 added; TorBrowserTeam201907R removed
Note: See TracTickets for help on using tickets.