Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

web_accessible_resource secret token accessible to webpages #550

Closed
konarkmodi opened this issue Apr 30, 2019 · 1 comment

Comments

Projects
None yet
3 participants
@konarkmodi
Copy link

commented Apr 30, 2019

Prerequisites

  • I verified that this is not a filter issue
  • This is not a support issue or a question
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue
    • Your issue may already be reported.
  • I tried to reproduce the issue when...
    • uBlock Origin is the only extension
    • uBlock Origin with default lists/settings
    • using a new, unmodified browser profile
  • I am running the latest version of uBlock Origin
  • I checked the documentation to understand that the issue I report is not a normal behavior

Description

As per the documentation here: https://github.com/gorhill/uBlock/blob/master/src/web_accessible_resources/README.txt#L3, even the files listed under web_accessible_resources are protected from being accessed by webpages using secret_token.

However, in Chromium based browser, we have found that under special circumstances webpages can steal that token:

  • Revealing user has uBlockOrigin installed.
  • Accessing files under web_accessible_resources.
  • Modifying the content of files added to the page via web_accessible_resources and potentially circumvent the functionality
  • The secret token seems to be generated on browser restart, hence it can be used as a session identifier to track the users across domains.

A specific URL where the issue occurs

Given the bug tracker is open, intentionally keeping from giving more details / PoC.
Is there a way to report security / privacy issues?

  • uBlock Origin version: 1.18.16
  • Browser Name and version: Version 74.0.3729.108 (Official Build) (64-bit)
  • Operating System and version: macOS 10.14.4
@gorhill

This comment has been minimized.

Copy link
Member

commented Apr 30, 2019

Is there a way to report security / privacy issues?

I sent you an email.

gorhill added a commit to gorhill/uBlock that referenced this issue Apr 30, 2019

Web accessible secrets can be used for at most one second
Related issue:
- uBlockOrigin/uBlock-issues#550

Related Chromium issue (I can't access it):
- https://bugs.chromium.org/p/chromium/issues/detail?id=957866

Findings so far: affects browsers based on Chromium 74.
I could not reproduce the issue with either Chromium 73 or
Google Chrome 75.

This commit is a mitigation: to prevent sites from using
uBO's internal WAR secret for tracking purpose. A secret
can be used for at most one second, after which a new secret
is generated.

The original issue related to the implementation of
secret-gated web accessible resources is:
- #2823

gorhill added a commit to gorhill/uBlock that referenced this issue May 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.