New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fingerprinting done through in-page JavaScript on anilinkz.io #389

Closed
Okamoi opened this Issue May 2, 2017 · 8 comments

Comments

Projects
None yet
4 participants
@Okamoi

Okamoi commented May 2, 2017

Hi,

URL(s) where the issue occurs

http://anilinkz.io/death-note-episode-36

Describe the issue

When you first load this page, your first click anywhere on the page will trigger a connection to a tracking website. The connection is not completely blocked even with almost all filter lists enabled, and the domain and URL change regularly. Here's custom rules I set for 3 of those:

||oscarlosun.com^
||planniver.com^
||roughted.com^

But instead of blocking a new obscure domain not present in any filter list every week it would be safer to block the JavaScript that triggers this connection instead.

And that's where the problem lies: It's not just a connection triggered on click, there's a whole fingerprinting script in there that should never be allowed to run, regardless of if the results are sent to some obscure domain or anilinkz.io themselves.

So, can uBlock's more advanced features take care of this ? What do such rules look like ?

Screenshot(s)

No screenshot needed, just mentioning that the script is inlined and enclosed with a (function (){}) thing, and heavily obfuscated in some parts.

Versions

  • Browser/version: Firefox 53
  • uBlock Origin version: 1.12.1

Settings

-snip-

Notes

(function(){function m(b) //... is the culprit. I have no idea how to block its execution since it is inlined and enclosed.

Thanks if you can help!

@gorhill

This comment has been minimized.

Show comment
Hide comment
@gorhill

gorhill May 2, 2017

Member

This will abort the execution of the fingerprint code:

anilinkz.io##script:inject(abort-on-property-write.js, Fingerprint2)

For the popups, just toggle on the no-popups switch. This would need more investigation to figure whether the code for these popups can be defused.

Why would you have NoScript handle the 3rd-party scripts/frames? You are forfeiting uBO's ability to block/allow on a per-site basis, i.e. if a script/frame from one undesirable hostname is absolutely needed on a given site, you can do this with uBO, rather than allow everywhere with NoScript (I know about ABE, point-and-clicking is much more user-friendly).

Member

gorhill commented May 2, 2017

This will abort the execution of the fingerprint code:

anilinkz.io##script:inject(abort-on-property-write.js, Fingerprint2)

For the popups, just toggle on the no-popups switch. This would need more investigation to figure whether the code for these popups can be defused.

Why would you have NoScript handle the 3rd-party scripts/frames? You are forfeiting uBO's ability to block/allow on a per-site basis, i.e. if a script/frame from one undesirable hostname is absolutely needed on a given site, you can do this with uBO, rather than allow everywhere with NoScript (I know about ABE, point-and-clicking is much more user-friendly).

@gorhill

This comment has been minimized.

Show comment
Hide comment
@gorhill

gorhill May 2, 2017

Member

Note: with the scriptlet suggested above, there is no more connection attempt to d2nz8k4xyoudsx.cloudfront.net -- so it seems this is where the fingerprint was sent (seemingly encoded in the URL).

Member

gorhill commented May 2, 2017

Note: with the scriptlet suggested above, there is no more connection attempt to d2nz8k4xyoudsx.cloudfront.net -- so it seems this is where the fingerprint was sent (seemingly encoded in the URL).

@uBlock-user

This comment has been minimized.

Show comment
Hide comment
@uBlock-user

uBlock-user May 2, 2017

Member

for popups,

anilinkz.*##script:inject(abort-on-property-read.js, open)
anilinkz.*##script:inject(noeval.js)
Member

uBlock-user commented May 2, 2017

for popups,

anilinkz.*##script:inject(abort-on-property-read.js, open)
anilinkz.*##script:inject(noeval.js)
@Okamoi

This comment has been minimized.

Show comment
Hide comment
@Okamoi

Okamoi May 2, 2017

Thank you both, that works perfectly. I don't have pop-ups with Gorhill's rule, and without it only on first click if it was a middle click. The pop up was blocked with an annoying Firefox message below the address bar though. It's gone with Fingerprint2's rule alone anyway.

-snip-

Next time I need to use an advanced rule like this script injection thingy, do you think I can bother directly EasyPrivacy's maintainer ? Are they familiar with the syntax and willing to use uBlock-only rules ?
Actually, can I just barge in and suggest they add these 3 filters to the list for everyone ?

Okamoi commented May 2, 2017

Thank you both, that works perfectly. I don't have pop-ups with Gorhill's rule, and without it only on first click if it was a middle click. The pop up was blocked with an annoying Firefox message below the address bar though. It's gone with Fingerprint2's rule alone anyway.

-snip-

Next time I need to use an advanced rule like this script injection thingy, do you think I can bother directly EasyPrivacy's maintainer ? Are they familiar with the syntax and willing to use uBlock-only rules ?
Actually, can I just barge in and suggest they add these 3 filters to the list for everyone ?

@uBlock-user

This comment has been minimized.

Show comment
Hide comment
@uBlock-user

uBlock-user May 2, 2017

Member

No, they're not. They will direct you here, so don't bother them. Lastly, NoScript is not known to play well if you run it with uBO. It's best that either you remove it or keep it disabled if it does something unexpected, also uBO offers nothing less than NoScript, infact you don't need the extension if you're already using uBO.

Member

uBlock-user commented May 2, 2017

No, they're not. They will direct you here, so don't bother them. Lastly, NoScript is not known to play well if you run it with uBO. It's best that either you remove it or keep it disabled if it does something unexpected, also uBO offers nothing less than NoScript, infact you don't need the extension if you're already using uBO.

@gorhill gorhill closed this in 802b420 May 2, 2017

@Okamoi

This comment has been minimized.

Show comment
Hide comment
@Okamoi

Okamoi May 2, 2017

Ah, I see it's in uBlock-only filters for everyone now. Got it, this place is uBlock's feature-specific equivalent of the forum where you request new EasyList filters.

Thanks again :)

As for NoScript, I never noticed any issue with uBO, at least with my setup. Both add-ons work as I would expect them according to Firefox console logs, uBO's logs and firewall logs. I'm not ready to remove NoScript considering that the features of both extensions don't overlap completely.

Okamoi commented May 2, 2017

Ah, I see it's in uBlock-only filters for everyone now. Got it, this place is uBlock's feature-specific equivalent of the forum where you request new EasyList filters.

Thanks again :)

As for NoScript, I never noticed any issue with uBO, at least with my setup. Both add-ons work as I would expect them according to Firefox console logs, uBO's logs and firewall logs. I'm not ready to remove NoScript considering that the features of both extensions don't overlap completely.

@RoxKilly

This comment has been minimized.

Show comment
Hide comment
@RoxKilly

RoxKilly May 25, 2017

This issue was just mentioned today on BleepingComputer.com in a story about a large malvertising campaign -- called RoughTed -- that can circumvent ad-blockers

RoxKilly commented May 25, 2017

This issue was just mentioned today on BleepingComputer.com in a story about a large malvertising campaign -- called RoughTed -- that can circumvent ad-blockers

@gorhill

This comment has been minimized.

Show comment
Hide comment
@gorhill
Member

gorhill commented May 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment