Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Fingerprinting protections bypassable #11683

Closed
pes10k opened this issue Oct 26, 2017 · 25 comments · Fixed by #11708 or #11784
Closed

Fingerprinting protections bypassable #11683

pes10k opened this issue Oct 26, 2017 · 25 comments · Fixed by #11708 or #11784
Assignees
Labels
0.19.x issue first seen in 0.19.x feature/shields fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. priority/P3 Major loss of function. privacy release/blocking

Comments

@pes10k
Copy link
Contributor

pes10k commented Oct 26, 2017

Test plan


Description

Many of the current fingerprinting protections rely on removing references to methods from the global object. However, you can get alternate references to the same methods by inserting a configured iframe element and grabbing the references off iframe.contentWindow or iframe.contentDocument.

Steps to Reproduce

//blocked
console.log(HTMLCanvasElement.prototype.toDataURL);

let iframe = document.createElement("iframe");
iframe.src = "https://www.brave.com/";
document.body.appendChild(iframe);

// Not blocked
console.log(iframe.contentWindow.HTMLCanvasElement.prototype.toDataURL);

// Do the bad stuff
let canvasToDataUrl = iframe.contentWindow.HTMLCanvasElement.prototype.toDataURL;
canvasToDataUrl.apply(someParentFrameCanvasElement);

Actual result:
You can get references to the fingerprinting related methods.

Expected result:
You shouldn't be able to get to these methods.

Reproduces how often: 100%

Brave Version

All versions

Reproducible on current live release:
Yes

@pes10k
Copy link
Contributor Author

pes10k commented Oct 26, 2017

@diracdeltas Re our conversation on slack.

Happy to contribute a PR, but wanted to make sure my proposed solution was useful first. How does overwriting the getter for the following methods to return the blocking proxy sound?

HTMLIFrameElement.prototype.contentWindow
HTMLIFrameElement.prototype.contentDocument
HTMLFrameElement.prototype.contentWindow
HTMLFrameElement.prototype.contentDocument

This will break some patterns of cross domain access, but (hopefully?) this is very rare, and most of the world has moved on to "Channel Messaging" for these use cases.

@luixxiul luixxiul added feature/shields needs-discussion A suggestion that lacks agreement from the team. privacy labels Oct 26, 2017
@diracdeltas diracdeltas self-assigned this Oct 27, 2017
@diracdeltas
Copy link
Member

diracdeltas commented Oct 27, 2017

apparently i tried to address this attack vector in 7e55416#diff-7440f7b95ccc371bdd73dce0a6631831R928 but this code was subsequently removed in b310fb1 (not sure why)

@diracdeltas
Copy link
Member

diracdeltas commented Oct 27, 2017

nvm, the attack vector above is somewhat different since it is for fingerprinting by creating canvas elements in an iframe, whereas this issue is for using prototype methods in the child frames to do fingerprinting in the parent frame. @snyderp your approach sounds good to me.

@diracdeltas
Copy link
Member

QA steps: go to https://jsfiddle.net/3dhmjqco/1/ with fingerprinting protection on, it should show 1 fingerprinting method blocked.

@diracdeltas diracdeltas removed their assignment Oct 30, 2017
bbondy added a commit that referenced this issue Oct 31, 2017
block access to fingerprinting methods pulled from child frames issue #11683
bbondy added a commit that referenced this issue Oct 31, 2017
block access to fingerprinting methods pulled from child frames issue #11683
bbondy added a commit that referenced this issue Oct 31, 2017
block access to fingerprinting methods pulled from child frames issue #11683
bbondy added a commit that referenced this issue Oct 31, 2017
block access to fingerprinting methods pulled from child frames issue #11683
@kjozwiak
Copy link
Member

kjozwiak commented Nov 1, 2017

@srirambv @LaurenWags this needs to be checked as well.. @diracdeltas has provided QA instructions in #11683 (comment).

@bsclifton
Copy link
Member

PR has been reverted with fe2fced

Re-opening so that we can look at a fix for 0.20.x

@bsclifton
Copy link
Member

Moving to 0.21.x (since this would be fixed by #12045)

@bsclifton bsclifton modified the milestones: 0.20.x (Beta Channel), 0.21.x (Developer Channel) Dec 29, 2017
@bsclifton bsclifton modified the milestones: 0.21.x (Beta Channel), 0.22.x (Developer Channel) Feb 20, 2018
@bbondy bbondy modified the milestones: 0.22.x (Developer Channel), 0.23.x (Nightly Channel) Feb 25, 2018
@alexwykoff alexwykoff added the priority/P3 Major loss of function. label Mar 13, 2018
@alexwykoff alexwykoff modified the milestones: 0.23.x (Nightly Channel), Backlog (Prioritized) Mar 13, 2018
@bsclifton bsclifton removed their assignment Mar 20, 2018
@tildelowengrimm tildelowengrimm added the post-v1 We don't expect to be able to resolve this before releasing v1.0 with Brave Core (instead of Muon). label Apr 3, 2018
@tildelowengrimm tildelowengrimm added fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. and removed post-v1 We don't expect to be able to resolve this before releasing v1.0 with Brave Core (instead of Muon). labels Jun 14, 2018
@bsclifton bsclifton removed this from the Backlog (Prioritized) milestone Sep 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
0.19.x issue first seen in 0.19.x feature/shields fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. priority/P3 Major loss of function. privacy release/blocking
Projects
None yet