Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

web_accessible_resource secret token accessible to webpages #550

Closed
8 tasks done
konarkmodi opened this issue Apr 30, 2019 · 1 comment
Closed
8 tasks done

web_accessible_resource secret token accessible to webpages #550

konarkmodi opened this issue Apr 30, 2019 · 1 comment
Labels
Chromium specific to Chromium/Chrome fixed issue has been addressed

Comments

@konarkmodi
Copy link

Prerequisites

  • I verified that this is not a filter issue
  • This is not a support issue or a question
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue
    • Your issue may already be reported.
  • I tried to reproduce the issue when...
    • uBlock Origin is the only extension
    • uBlock Origin with default lists/settings
    • using a new, unmodified browser profile
  • I am running the latest version of uBlock Origin
  • I checked the documentation to understand that the issue I report is not a normal behavior

Description

As per the documentation here: https://github.com/gorhill/uBlock/blob/master/src/web_accessible_resources/README.txt#L3, even the files listed under web_accessible_resources are protected from being accessed by webpages using secret_token.

However, in Chromium based browser, we have found that under special circumstances webpages can steal that token:

  • Revealing user has uBlockOrigin installed.
  • Accessing files under web_accessible_resources.
  • Modifying the content of files added to the page via web_accessible_resources and potentially circumvent the functionality
  • The secret token seems to be generated on browser restart, hence it can be used as a session identifier to track the users across domains.

A specific URL where the issue occurs

Given the bug tracker is open, intentionally keeping from giving more details / PoC.
Is there a way to report security / privacy issues?

  • uBlock Origin version: 1.18.16
  • Browser Name and version: Version 74.0.3729.108 (Official Build) (64-bit)
  • Operating System and version: macOS 10.14.4
@gorhill
Copy link
Member

gorhill commented Apr 30, 2019

Is there a way to report security / privacy issues?

I sent you an email.

@uBlock-user uBlock-user added something to address something to address Chromium specific to Chromium/Chrome labels Apr 30, 2019
gorhill added a commit to gorhill/uBlock that referenced this issue Apr 30, 2019
@gorhill
Web accessible secrets can be used for at most one second
9e43852 
Related issue:
- uBlockOrigin/uBlock-issues#550

Related Chromium issue (I can't access it):
- https://bugs.chromium.org/p/chromium/issues/detail?id=957866

Findings so far: affects browsers based on Chromium 74.
I could not reproduce the issue with either Chromium 73 or
Google Chrome 75.

This commit is a mitigation: to prevent sites from using
uBO's internal WAR secret for tracking purpose. A secret
can be used for at most one second, after which a new secret
is generated.

The original issue related to the implementation of
secret-gated web accessible resources is:
- #2823
@jspenguin2017 jspenguin2017 mentioned this issue May 1, 2019
Open
gorhill added a commit to gorhill/uBlock that referenced this issue May 1, 2019
@gorhill
Use per-request secret rather than time-based secret
b87b242 
Related issue:
- uBlockOrigin/uBlock-issues#550
@uBlock-user uBlock-user added fixed issue has been addressed and removed something to address something to address labels May 10, 2019
@Imna1975 Imna1975 mentioned this issue Sep 3, 2022
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Chromium specific to Chromium/Chrome fixed issue has been addressed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@konarkmodi @gorhill @uBlock-user