Opened 3 months ago

Closed 8 weeks ago

Last modified 8 weeks ago

#31667 closed defect (duplicate)

NAvigator object leaking OS, again?

Reported by: op_mb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

hey all,

tor browser version 8.5.5 in tails os, navigator object leaks OS,

you need to modify these

 navigator.userAgent
 navigator.appVersion
 navigator.buildID
 navigator.osCPU
 navigator.platform

here's the ticket (with pics), they redirected me to you:

https://redmine.tails.boum.org/code/issues/16999
(look at the pics i uploded there)

i've read the other tickets here, about fingerprinting, point is, that, automated scripts will vector attacks based on platform, so this is just opening an attack vector

cheers!

Child Tickets

Change History (6)

comment:1 Changed 3 months ago by op_mb

p.s.: Bug 26146: Spoof HTTP User-Agent header for desktop platforms

propose on/off button "... to allow access to the actual OS via JavaScript, since doing so improves compatibility with web applications such as GitHub and Google Docs."

?
p.p.s. i know some forms dont load, like on youtube for example, if navigator.spoofed == true (lol)

cheers!

comment:2 Changed 3 months ago by op_mb

p.p.p.s
also,

even though on/off button can be an overkill,
overriding the navigator object has no implact on github or other services that ive encountered, unless its googgle

final cheers!

comment:3 Changed 3 months ago by op_mb

correction: on/off button for Navigator object

comment:4 Changed 8 weeks ago by boklm

Component: ApplicationsApplications/Tor Browser
Owner: set to tbb-team
Resolution: duplicate
Status: newclosed
Version: Tor: unspecified

This is a duplicate of #28290.

comment:5 Changed 8 weeks ago by cypherpunks

There's an unclosed <em> tag in the description -- I hope this is not an XSS bug?

comment:6 Changed 8 weeks ago by gk

Description: modified (diff)
Note: See TracTickets for help on using tickets.