Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIN] PublicKeyCredential API as a device fingerprint source #1758

Closed
4 tasks done
uazo opened this issue Jan 23, 2025 · 0 comments
Closed
4 tasks done

[WIN] PublicKeyCredential API as a device fingerprint source #1758

uazo opened this issue Jan 23, 2025 · 0 comments
Labels
privacy issue fingerprinting detected!

Comments

@uazo
Copy link
Owner

uazo commented Jan 23, 2025

Preliminary checklist

  • I have read the README.
  • I have searched the existing issues for my problem. This is a new ticket, NOT a duplicate or related to another open issue.
  • I have updated Cromite to the latest version. The bug is reproducible on this latest version.
  • This is a bug report about the Cromite browser; not the website nor F-Droid nor anything else.

Can the bug be reproduced with corresponding Chromium version?

Yes

Are you sure?

Yes

Cromite version

132.0.6834.83

Device architecture

windows

Platform version

Windows 10

Android Device model

n/a

Is the device rooted?

I prefer not to write it

Changed flags

not important

Is this bug happening ONLY in an incognito tab?

No

Is this bug caused by the adblocker?

No

Is this bug a crash?

no

Describe the bug

in Windows, PublicKeyCredential API as a fingerprint source, as expose

  • presence (or lack thereof) of a Bluetooth device
  • activation (or not) of Windows Hello

Steps to reproduce the bug

await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();

true: windows hello active
false: windows hello not active (or guest mode)

and

await PublicKeyCredential.getClientCapabilities()

hybridTransport: true -> presence of bluetooth

when it will become active

Expected behavior

hide data to websites

Screenshots

No response
@uazo uazo added the privacy issue fingerprinting detected! label Jan 23, 2025
@uazo uazo changed the title (WIN) PublicKeyCredential API as a device fingerprint source [WIN] PublicKeyCredential API as a device fingerprint source Jan 23, 2025
uazo added a commit that referenced this issue Jan 24, 2025
@uazo
PublicKeyCredential fingerprinting mitigations: Removes the possibili…
69ba260 
…ty of obtaining the presence of Windows Hello and Bluetooth by querying the PublicKeyCredential of the webauth api in the Windows platform (#1758)
uazo added a commit that referenced this issue Jan 24, 2025
@uazo
Disable Web Bluetooth by default in desktop platforms: on desktop pla…
6ceda90 
…tforms, disable Bluetooth by default and activate the user-manageable content setting ui. (#1758)
@uazo uazo mentioned this issue Jan 26, 2025
Closed
@uazo uazo closed this as completed Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
privacy issue fingerprinting detected!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@uazo