Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Fingerprinting protections bypassable via window.open #12110

Closed
pes10k opened this issue Nov 27, 2017 · 7 comments
Closed

Fingerprinting protections bypassable via window.open #12110

pes10k opened this issue Nov 27, 2017 · 7 comments
Assignees
@yrliou
Labels
fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. priority/P3 Major loss of function. privacy security wontfix

Comments

@pes10k
Copy link
Contributor

pes10k commented Nov 27, 2017
edited
Loading

Description

Similar to #11683, fingerprinting protections can be bypassed by opening up a new window with window.open grabbing the references to the blocked fingerprinting methods off the window object before the extension / content script / document_start extension hook fires in the new window's context.

This vulnerability is less serious than #11683, since the user has to have granted to page the ability to open popup windows. But once the user does, the page can escalate that privilege to fingerprint the user.

Steps to Reproduce

// This will be a reference to a function that blocks the page's finger printing attempt.
let blockedGetImageData = CanvasRenderingContext2D.prototype.getImageData;

let newWindow = window.open("//" + window.location.hostname);

// If the user has allowed the page to open popup windows, `notBlockedGetImageData`
// will be a referenced to the original, DOM provided methods, that is not blocked
let notBlockedGetImageData = newWindow.CanvasRenderingContext2D.prototype.getImageData;

Actual result:
notBlockedGetImageData in the above example is a reference to the original CanvasRenderingContext2D.prototype.getImageData method.

Expected result:
notBlockedGetImageData in the above example should be a reference to the extension injected blocking function / proxy object.

Reproduces how often:
100% of the time

Brave Version

about:brave info:
d4b94c6 (and also master)

Reproducible on current live release:
yes

Additional Information

This would be fixed by #12045 too. A shorter term fix could be done similar to ###11683
@bsclifton bsclifton added this to the Triage Backlog milestone Nov 27, 2017
@pes10k pes10k mentioned this issue Nov 30, 2017
Closed
@diracdeltas diracdeltas modified the milestones: Triage Backlog, 0.20.x (Beta Channel) Dec 4, 2017
@diracdeltas
Copy link
Member

marking as 0.20.x since it is a subissue of #12045

@diracdeltas diracdeltas mentioned this issue Dec 20, 2017
Closed
@bsclifton bsclifton modified the milestones: 0.20.x (Beta Channel), 0.21.x (Developer Channel) Dec 29, 2017
@bsclifton
Copy link
Member

Moving to 0.21.x since this is a sub-issue of #12045 (which was moved to 0.21.x)

@alexwykoff
Copy link
Contributor

@diracdeltas should this be in 0.21.x or can it be moved back?

@diracdeltas
Copy link
Member

@alexwykoff see #12045 (comment)

@bsclifton bsclifton modified the milestones: 0.21.x (Beta Channel), 0.22.x (Developer Channel) Feb 20, 2018
@bbondy bbondy modified the milestones: 0.22.x (Developer Channel), 0.23.x (Nightly Channel) Feb 25, 2018
@alexwykoff alexwykoff modified the milestones: 0.23.x (Nightly Channel), Backlog (Prioritized) Mar 13, 2018
@alexwykoff alexwykoff added the priority/P3 Major loss of function. label Mar 13, 2018
@tildelowengrimm tildelowengrimm added the post-v1 We don't expect to be able to resolve this before releasing v1.0 with Brave Core (instead of Muon). label Apr 3, 2018
@tildelowengrimm tildelowengrimm assigned yrliou and unassigned jumde Apr 3, 2018
@tildelowengrimm
Copy link

@yrliou Can you confirm whether this is fixed in brave-browser?

@yrliou
Copy link
Member

yrliou commented Apr 3, 2018

It's fixed by brave/brave-browser#11, fingerprinting protection in brave-browser is implemented in C++ instead of using proxy objects in JS, so won't have this issue.

@bsclifton bsclifton added fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. and removed post-v1 We don't expect to be able to resolve this before releasing v1.0 with Brave Core (instead of Muon). labels May 1, 2018
@bsclifton
Copy link
Member

Will be fixed by our upcoming fork (thanks for the update, @yrliou!)

For browser-laptop (the current version of the product), I'm going to close this issue as wontfix

@bsclifton bsclifton removed this from the Backlog (Prioritized) milestone May 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@yrliou yrliou

Labels
fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. priority/P3 Major loss of function. privacy security wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@pes10k @diracdeltas @tildelowengrimm @bbondy @alexwykoff @jumde @yrliou @bsclifton