Opened 9 days ago

Last modified 9 days ago

#31667 new defect

NAvigator object leaking OS, again?

Reported by: op_mb Owned by:
Priority: Medium Milestone:
Component: Applications Version: Tor: unspecified
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

hey all,

tor browser version 8.5.5 in tails os, navigator object leaks OS,

you need to modify these

navigator.userAgent
navigator.appVersion
navigator.buildID
navigator.osCPU
navigator.platform


here's the ticket (with pics), they redirected me to you:

https://redmine.tails.boum.org/code/issues/16999
(look at the pics i uploded there)

i've read the other tickets here, about fingerprinting, point is, that, automated scripts will vector attacks based on platform, so this is just opening an attack vector

cheers!

Child Tickets

Change History (3)

comment:1 Changed 9 days ago by op_mb

p.s.: Bug 26146: Spoof HTTP User-Agent header for desktop platforms

propose on/off button "... to allow access to the actual OS via JavaScript, since doing so improves compatibility with web applications such as GitHub and Google Docs."

?
p.p.s. i know some forms dont load, like on youtube for example, if navigator.spoofed == true (lol)

cheers!

comment:2 Changed 9 days ago by op_mb

p.p.p.s
also,

even though on/off button can be an overkill,
overriding the navigator object has no implact on github or other services that ive encountered, unless its googgle

final cheers!

comment:3 Changed 9 days ago by op_mb

correction: on/off button for Navigator object

Note: See TracTickets for help on using tickets.