Skip to content

/ detect-throwaways

Demo: https://diafygi.github.io/detect-throwaways/index.html

AGPL-3.0 License
6 stars 1 fork
Star
Watch
master
2 branches 0 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE
 
 
README.md
 
 
index.html
 
 
throwaway.html
 
 

README.md

detect-throwaways

Demo: https://diafygi.github.io/detect-throwaways/index.html

Description

This is a demo that allows websites to detect and connect throwaway accounts to their real users when the user is using Firefox's Private Browsing mode. This exploits Firefox's Bug #1100154 that I reported in 2014. Chrome users are not affected by this exploit.

This exploit could be used by sites that allow users to create throwawy or anonymous accounts (Reddit, HackerNews, 4Chan, etc.) to secretly detect a user's real username if that user is using a Firefox Private Browsing window for the throwaway account while keeping their real account open in their main browser session.

##How the exploit works

This exploit works by using window.open with a target window name that exists on the other side of the privacy barrier. If you have a window named "myrealwindow" in your main browser tabs, a link or javascript window.open that targets that name will change the url of that tab, even if the link is across the privacy barrier. See Bug #1100154 for more details.

About

Demo: https://diafygi.github.io/detect-throwaways/index.html

Resources

Readme

License

AGPL-3.0 License

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.