Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login fencedframes: exfiltration through show/hide signal? #65

Open
jeremyroman opened this issue Apr 29, 2021 · 0 comments
Open

login fencedframes: exfiltration through show/hide signal? #65

jeremyroman opened this issue Apr 29, 2021 · 0 comments
Labels
design

Comments

@jeremyroman
Copy link

In the example with fenced frames and permissions, it appears that before user interaction the IDP frame has some mechanism to communicate 1 bit of information indicating whether the frame should be shown or not (presumably the IDP popup needs to be hidden by the RP if no account is available).

Since these frames have access to first-party cookies, it seems that the RP in cooperation with a tracking "IDP" could do this:

<fencedframe src="//tracker.example/0.wbn"></fencedframe>
<fencedframe src="//tracker.example/1.wbn"></fencedframe>
...
<fencedframe src="//tracker.example/63.wbn"></fencedframe>

and then use the show/hide signal on each to extract 1 bit of information, extended in this way to an arbitrarily large identifier without user interaction.

Even if this is limited to one per origin, using same-site origins (which can share site cookies) or a sufficient set of coordinating domains could potentially create a unique trackable identifier.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremyroman @samuelgoto