Opened 5 months ago

Closed 4 months ago

#31287 closed defect (fixed)

NoScript leaks browser locale if objects are blocked and JavaScript is allowed

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-locale, noscript, TorBrowserTeam201908R
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

If one customizes NoScript in a way that objects are blocked and JavaScript is enabled then the browser locale is leaked even if the user opted in in hiding it.
This issue got reported to our HackerOne bug bounty program by ryotak, thanks!

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

Child Tickets

Change History (9)

comment:1 in reply to:  description ; Changed 5 months ago by ma1

Replying to gk:

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

Thanks, this seems a broken link though.

comment:2 in reply to:  1 Changed 5 months ago by gk

Replying to ma1:

Replying to gk:

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

Thanks, this seems a broken link though.

You mean because it gives you a "404 Not Found" page? That's part of the PoC and comes from the test.html file. You'll see the PoC in action if you drag the NoScript icon to the toolbar and customize it by making sure object is blocked while JavaScript is still allowed.

comment:3 Changed 5 months ago by ma1

Thanks, I can see it now.
I could devise some work-around, but the underlying issue IMHO is that browser.i18n.getMessage() in WebExtensions' content scripts should use whatever fake locale ("en", I guess) you choose as fingerprinting-resistant and exposed to content, isn't it?

comment:4 in reply to:  3 ; Changed 5 months ago by gk

Replying to ma1:

Thanks, I can see it now.
I could devise some work-around, but the underlying issue IMHO is that browser.i18n.getMessage() in WebExtensions' content scripts should use whatever fake locale ("en", I guess) you choose as fingerprinting-resistant and exposed to content, isn't it?

Yes, I think so. We should probably have a Firefox patch for that given that this is a general problem. Given that this is only exposed in a non-standard Tor Browser configuration I think we have more important NoScript related issues in our bug tracker to deal with (which is, of course, not meant as an argument against a work-around ;) ).

comment:5 in reply to:  description ; Changed 5 months ago by RyotaK

Replying to gk:

I want to tell you something in HackerOne thread that related to this bug. Tor Browser is vulnerable to this attack in supported settings. Can you look into it please?

Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).

Last edited 5 months ago by RyotaK (previous) (diff)

comment:6 in reply to:  5 Changed 5 months ago by gk

Description: modified (diff)

Replying to RyotaK:

Replying to gk:

I want to tell you something in HackerOne thread that related to this bug. Tor Browser is vulnerable to this attack in supported settings. Can you look into it please?

Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).

Right. I was wrong here and I changed the description accordingly. One can see this on the medium-security level as well with media content being click-to-play.

comment:7 in reply to:  4 Changed 4 months ago by ma1

Replying to gk:

of course, not meant as an argument against a work-around ;)

Here you are:
https://github.com/hackademix/noscript/releases/tag/11.0.3rc1

comment:8 Changed 4 months ago by gk

Keywords: TorBrowserTeam201908R added

comment:9 Changed 4 months ago by gk

Resolution: fixed
Status: newclosed

Looks good to me, thanks!

Note: See TracTickets for help on using tickets.