Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FYI - Detecting Canvas Defender and recovering the original canvas value #458

Closed
Just-me-ghacks opened this issue Jul 3, 2018 · 9 comments
Closed

FYI - Detecting Canvas Defender and recovering the original canvas value #458

Just-me-ghacks opened this issue Jul 3, 2018 · 9 comments

Comments

@Just-me-ghacks
Copy link

Evaluating the privacy implications of a canvas fingerprinting countermeasure

In this post, we showed that contrary to what’s claimed in their article, Canvas Defender can easily be detected. We showed that detecting if a user has Canvas Defender installed can be checked by looking at the string representation of toDataURL. It can also be detected using the MutationObserver API. The advantage of this approach is that it enables to extract the noise vector used by Canvas Defender. Depending on the settings chosen by the user in the extension, this noise vector may remain the same until the user deliberately changes it. Finally, we showed how to recover the original canvas value, even in the presence of Canvas Defender.

Can mozilla and google recover the original canvas value if you use privacy.resistFingerprinting to spoof it?
@earthlng
Copy link
Contributor

earthlng commented Jul 3, 2018

Holy shit! Thanks for sharing that link.

This also makes some of our userscripts easily detectable btw ...
Ctrl+K then enter history.__lookupGetter__('length').toString() to see the custom function that spoofs history.length

@kkapsner
Copy link

kkapsner commented Jul 3, 2018
edited

I think all the points in the article do not apply to CanvasBlocker. The point is that Firefox has some additional WebExtension APIs that allow addon-code to run in the (security) context of the web page (exportFunction). But if you create a WebExtension that also has to run on Chrome or even Edge you cannot use them.

That's why CB is only for Firefox. (Although I recently got a request for a Chrome version: kkapsner/CanvasBlocker#203 - let's see how this works out...

I also did a test where I could extract the canvas fingerprint with Canvas Defender installed without any additional code - the addon code was just not loaded fast enough... WebExtensions are a nightmare to build a privacy addon with...

@earthlng: these APIs would also allow the history.length to be spoofed in a sneaky fashion. To be honest: it would be really simple to include this in CanvasBlocker... ;)

@kkapsner
Copy link

kkapsner commented Jul 3, 2018

Just realized they removed the exportFunction documentation: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_scripts$compare?locale=en-US&to=1348378&from=1348018
Hopefully they do not want to ditch it.

@kkapsner kkapsner mentioned this issue Jul 3, 2018
Open
@kkapsner
Copy link

kkapsner commented Jul 3, 2018
edited

Here my test page for the extraction: https://canvasblocker.kkapsner.de/test/settingsLoading.php

Canvas Defender:
grafik (changed the hashes as i do not want to post my canvas fingerprint on the internet...)

CanvasBlocker:
grafik notice the fingerprint icon in the address bar (here I can give you the real data as they are faked ;))

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Jul 4, 2018
Closed
@kkapsner
Copy link

kkapsner commented Jul 4, 2018

Regarding e5d...: I get this as well when disabling CB and using RFP - so it's the correct value. I use a different canvas size (220px × 30px) and therefore the hash is different (also I do not know which hashing algorithm panopticlick is using - I use sha256 of the data-URL).

@earthlng
Copy link
Contributor

earthlng commented Jul 4, 2018
edited

Just realized they removed the exportFunction documentation

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Sharing_objects_with_page_scripts

@earthlng
Copy link
Contributor

earthlng commented Jul 4, 2018

@kkapsner

these APIs would also allow the history.length to be spoofed in a sneaky fashion.

can you show me how, please? I can't wrap my head around how to exportFunction a getter in a way that still makes it possible to check the original history.length (to know what to return) while at the same time prevent the page from seeing the custom function.

@kkapsner
Copy link

kkapsner commented Jul 4, 2018

@earthlng: thanks for the new link - good to know that it is still documented.
For the "how to exportFunction a getter" you can check CB-Code as that is exactly what I do: https://github.com/kkapsner/CanvasBlocker/blob/master/lib/intercept.js#L179
You first store the original function (has to be slighly different in your case as you have to store the getter) and then you redefine the getter.

@Thorin-Oakenpants: I do not think that the situation is that bad. Most dddons do not need to provide functions that can be called by the website. But I have not checked and unfortunately all the anti-fingerprinting and some of the privacy addons have to. So if they are not carefully they might make things wore.

@kkapsner
Copy link

kkapsner commented Jul 4, 2018
edited

I think this might require us to vet all our recommended addons, but I have no idea how to do that

One by one on an individual basis. Basically look in the code of the addon or the "bad" guys and see what of the browsers APIs they are using/changing.

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Jul 5, 2018
Closed
@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Aug 16, 2018
Closed
This was referenced Aug 24, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kkapsner @Thorin-Oakenpants @earthlng @Just-me-ghacks