Opened 3 weeks ago

Last modified 2 weeks ago

#31287 new defect

NoScript leaks browser locale if objects are blocked and JavaScript is allowed

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-locale, noscript
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

If one customizes NoScript in a way that objects are blocked and JavaScript is enabled then the browser locale is leaked even if the user opted in in hiding it.
This issue got reported to our HackerOne bug bounty program by ryotak, thanks!

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

Child Tickets

Change History (7)

comment:1 in reply to:  description ; Changed 3 weeks ago by ma1

Replying to gk:

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

Thanks, this seems a broken link though.

comment:2 in reply to:  1 Changed 3 weeks ago by gk

Replying to ma1:

Replying to gk:

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

Thanks, this seems a broken link though.

You mean because it gives you a "404 Not Found" page? That's part of the PoC and comes from the test.html file. You'll see the PoC in action if you drag the NoScript icon to the toolbar and customize it by making sure object is blocked while JavaScript is still allowed.

comment:3 Changed 3 weeks ago by ma1

Thanks, I can see it now.
I could devise some work-around, but the underlying issue IMHO is that browser.i18n.getMessage() in WebExtensions' content scripts should use whatever fake locale ("en", I guess) you choose as fingerprinting-resistant and exposed to content, isn't it?

comment:4 in reply to:  3 ; Changed 3 weeks ago by gk

Replying to ma1:

Thanks, I can see it now.
I could devise some work-around, but the underlying issue IMHO is that browser.i18n.getMessage() in WebExtensions' content scripts should use whatever fake locale ("en", I guess) you choose as fingerprinting-resistant and exposed to content, isn't it?

Yes, I think so. We should probably have a Firefox patch for that given that this is a general problem. Given that this is only exposed in a non-standard Tor Browser configuration I think we have more important NoScript related issues in our bug tracker to deal with (which is, of course, not meant as an argument against a work-around ;) ).

comment:5 in reply to:  description ; Changed 3 weeks ago by RyotaK

Replying to gk:

I want to tell you something in HackerOne thread that related to this bug. Tor Browser is vulnerable to this attack in supported settings. Can you look into it please?

Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).

Last edited 3 weeks ago by RyotaK (previous) (diff)

comment:6 in reply to:  5 Changed 2 weeks ago by gk

Description: modified (diff)

Replying to RyotaK:

Replying to gk:

I want to tell you something in HackerOne thread that related to this bug. Tor Browser is vulnerable to this attack in supported settings. Can you look into it please?

Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).

Right. I was wrong here and I changed the description accordingly. One can see this on the medium-security level as well with media content being click-to-play.

comment:7 in reply to:  4 Changed 2 weeks ago by ma1

Replying to gk:

of course, not meant as an argument against a work-around ;)

Here you are:
https://github.com/hackademix/noscript/releases/tag/11.0.3rc1

Note: See TracTickets for help on using tickets.