New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fingerprinting protections bypassable #11683

Closed
snyderp opened this Issue Oct 26, 2017 · 25 comments

Comments

Projects
None yet
@snyderp
Contributor

snyderp commented Oct 26, 2017

Test plan


Description

Many of the current fingerprinting protections rely on removing references to methods from the global object. However, you can get alternate references to the same methods by inserting a configured iframe element and grabbing the references off iframe.contentWindow or iframe.contentDocument.

Steps to Reproduce

//blocked
console.log(HTMLCanvasElement.prototype.toDataURL);

let iframe = document.createElement("iframe");
iframe.src = "https://www.brave.com/";
document.body.appendChild(iframe);

// Not blocked
console.log(iframe.contentWindow.HTMLCanvasElement.prototype.toDataURL);

// Do the bad stuff
let canvasToDataUrl = iframe.contentWindow.HTMLCanvasElement.prototype.toDataURL;
canvasToDataUrl.apply(someParentFrameCanvasElement);

Actual result:
You can get references to the fingerprinting related methods.

Expected result:
You shouldn't be able to get to these methods.

Reproduces how often: 100%

Brave Version

All versions

Reproducible on current live release:
Yes

@snyderp

This comment has been minimized.

Show comment
Hide comment
@snyderp

snyderp Oct 26, 2017

Contributor

@diracdeltas Re our conversation on slack.

Happy to contribute a PR, but wanted to make sure my proposed solution was useful first. How does overwriting the getter for the following methods to return the blocking proxy sound?

HTMLIFrameElement.prototype.contentWindow
HTMLIFrameElement.prototype.contentDocument
HTMLFrameElement.prototype.contentWindow
HTMLFrameElement.prototype.contentDocument

This will break some patterns of cross domain access, but (hopefully?) this is very rare, and most of the world has moved on to "Channel Messaging" for these use cases.

Contributor

snyderp commented Oct 26, 2017

@diracdeltas Re our conversation on slack.

Happy to contribute a PR, but wanted to make sure my proposed solution was useful first. How does overwriting the getter for the following methods to return the blocking proxy sound?

HTMLIFrameElement.prototype.contentWindow
HTMLIFrameElement.prototype.contentDocument
HTMLFrameElement.prototype.contentWindow
HTMLFrameElement.prototype.contentDocument

This will break some patterns of cross domain access, but (hopefully?) this is very rare, and most of the world has moved on to "Channel Messaging" for these use cases.

@diracdeltas

This comment has been minimized.

Show comment
Hide comment
@diracdeltas

diracdeltas Oct 27, 2017

Member

apparently i tried to address this attack vector in 7e55416#diff-7440f7b95ccc371bdd73dce0a6631831R928 but this code was subsequently removed in b310fb1 (not sure why)

Member

diracdeltas commented Oct 27, 2017

apparently i tried to address this attack vector in 7e55416#diff-7440f7b95ccc371bdd73dce0a6631831R928 but this code was subsequently removed in b310fb1 (not sure why)

@diracdeltas

This comment has been minimized.

Show comment
Hide comment
@diracdeltas

diracdeltas Oct 27, 2017

Member

nvm, the attack vector above is somewhat different since it is for fingerprinting by creating canvas elements in an iframe, whereas this issue is for using prototype methods in the child frames to do fingerprinting in the parent frame. @snyderp your approach sounds good to me.

Member

diracdeltas commented Oct 27, 2017

nvm, the attack vector above is somewhat different since it is for fingerprinting by creating canvas elements in an iframe, whereas this issue is for using prototype methods in the child frames to do fingerprinting in the parent frame. @snyderp your approach sounds good to me.

@diracdeltas

This comment has been minimized.

Show comment
Hide comment
@diracdeltas

diracdeltas Oct 30, 2017

Member

QA steps: go to https://jsfiddle.net/3dhmjqco/1/ with fingerprinting protection on, it should show 1 fingerprinting method blocked.

Member

diracdeltas commented Oct 30, 2017

QA steps: go to https://jsfiddle.net/3dhmjqco/1/ with fingerprinting protection on, it should show 1 fingerprinting method blocked.

@diracdeltas diracdeltas removed their assignment Oct 30, 2017

snyderp added a commit to snyderp/browser-laptop that referenced this issue Oct 30, 2017

bbondy added a commit that referenced this issue Oct 31, 2017

Merge pull request #11708 from snyderp/11683-block-iframe-content-window
block access to fingerprinting methods pulled from child frames issue #11683

bbondy added a commit that referenced this issue Oct 31, 2017

Merge pull request #11708 from snyderp/11683-block-iframe-content-window
block access to fingerprinting methods pulled from child frames issue #11683

bbondy added a commit that referenced this issue Oct 31, 2017

Merge pull request #11708 from snyderp/11683-block-iframe-content-window
block access to fingerprinting methods pulled from child frames issue #11683

bbondy added a commit that referenced this issue Oct 31, 2017

Merge pull request #11708 from snyderp/11683-block-iframe-content-window
block access to fingerprinting methods pulled from child frames issue #11683

@bsclifton bsclifton modified the milestones: 0.19.x Hotfix 6 (Release channel), 0.20.x (Beta Channel) Nov 30, 2017

@bsclifton

This comment has been minimized.

Show comment
Hide comment
@bsclifton

bsclifton Nov 30, 2017

Member

PR has been reverted with fe2fced

Re-opening so that we can look at a fix for 0.20.x

Member

bsclifton commented Nov 30, 2017

PR has been reverted with fe2fced

Re-opening so that we can look at a fix for 0.20.x

@bsclifton

This comment has been minimized.

Show comment
Hide comment
@bsclifton

bsclifton Dec 29, 2017

Member

Moving to 0.21.x (since this would be fixed by #12045)

Member

bsclifton commented Dec 29, 2017

Moving to 0.21.x (since this would be fixed by #12045)

@bsclifton bsclifton modified the milestones: 0.20.x (Beta Channel), 0.21.x (Developer Channel) Dec 29, 2017

@bsclifton bsclifton modified the milestones: 0.21.x (Beta Channel), 0.22.x (Developer Channel) Feb 20, 2018

@bbondy bbondy modified the milestones: 0.22.x (Developer Channel), 0.23.x (Nightly Channel) Feb 25, 2018

@alexwykoff alexwykoff modified the milestones: 0.23.x (Nightly Channel), Backlog (Prioritized) Mar 13, 2018

@bsclifton bsclifton removed their assignment Mar 20, 2018

@tomlowenthal tomlowenthal added the post-v1 label Apr 3, 2018

@diracdeltas diracdeltas removed the security label Jun 19, 2018

@bsclifton bsclifton removed this from the Backlog (Prioritized) milestone Sep 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment