Opened 6 years ago

Closed 6 years ago

#5856 closed defect (fixed)

Patch Firefox to alter window.screen directly

Reported by: mikeperry Owned by: mikeperry
Priority: Very High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: tbb-fingerprinting, interview
Cc: g.koppen@… Actual Points: 6
Parent ID: Points:
Reviewer: Sponsor:

Description

Georg Koppen found a race condition in our Javascript hook application that allows the hooks to be bypassed. Right now, they only exist to project window.screen and associated resolution information, so we can probably just replace them with a patch.

Child Tickets

Change History (17)

comment:1 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:2 Changed 6 years ago by mikeperry

Keywords: MikePerry201206 added; MikePerry201205 removed

See #5857 for the alternative to keep hooking functionality around.

comment:3 Changed 6 years ago by mikeperry

Note to self: Don't forget about MediaElement too, for full screen mode.

comment:4 Changed 6 years ago by mikeperry

More notes to self: If we spoof display depth in window.screen, we should also spoof a matching value in WebGLContext::GetContextAttributes().

comment:5 Changed 6 years ago by mikeperry

Keywords: MikePerry201206 removed

comment:6 Changed 6 years ago by mikeperry

Some additional attributes wrt device orientation here: https://bugzilla.mozilla.org/show_bug.cgi?id=720794. I think they're mostly harmless, though.

comment:7 Changed 6 years ago by mikeperry

Ditto for screen orientation locking: https://bugzilla.mozilla.org/show_bug.cgi?id=740188

comment:8 Changed 6 years ago by mikeperry

Priority: majorcritical

Firefox 15 just made all of these immutable from script, so our old js hooks are totally useless now. We need to get this done before the next ESR release at least (FF17).

comment:9 Changed 6 years ago by cypherpunks

comment:11 Changed 6 years ago by cypherpunks

That one's safe but did you try the test script? TorBrowser is also vulnerable to the system color and font reading.

comment:12 Changed 6 years ago by mikeperry

cypherpunks: The font issue should already be mitigated by #2872. We have some improvements planned in #5798. For system color (by which I assume you mean min-color and screen bitwith), I've created #6786.

We should also remember to handle window.screen's colorDepth information here.

As a general FYI: gk has some additional automated mozmill test cases in #5920. We're still trying to figure out what to do with those.

comment:13 Changed 6 years ago by mikeperry

Err, the tests are in #5290.

comment:14 Changed 6 years ago by cypherpunks2

That's not what I mean. It shows those issues, but also some completely different ones. Look at the test case.

comment:15 Changed 6 years ago by mikeperry

Keywords: interview added

comment:16 Changed 6 years ago by mikeperry

And they backported this to 10.0.8-ESR, breaking our hooks there too.

The good news is that one of our browser hacker interview candidate teams has written this fix for us. We should be able to use their patch in the next TBB release.

Note: See TracTickets for help on using tickets.