Re: [tor-talk] bug

Mon, 12 Sep 2016 12:57:03 -0700 

On 9/12/2016 9:41 AM, [email protected] wrote:

https://www.browserleaks.com/firefox

it can be used for both fingerprinting (different users use different OS setups 
or different Tor versions) and exploiting software vulnerabilities because when 
attacker don’t know your OS or browser version they don’t know what payload can 
do the thing that if be used incorrectly will show a download warning that 
compromises their valuable malware to citizenlab like groups.
Using TBB, I looked at the link - browserleak.com/firefox - with JS disabled. The code that supposedly detects values in firefox.js giving away the OS. 

10. var el = document.createElement("script");
11.      el.type = "text/javascript";
12.      el.onload = load;
13.      el.onerror = err;
14. document.head.appendChild(el);
15.      el.src = "resource:///defaults/preferences/firefox.js";
16. }
17.

18. var pref,
19.      sticky_pref,
20.      os;
21.

22. pref = sticky_pref = function(key, val) {
23. if (!os)
24. if (key == "browser.gesture.pinch.out" && val == "cmd_fullZoomEnlarge")
25.              os = "Windows";
26. else if (key == "browser.backspace_action" && val == "2")
27.              os = "Linux";
28. else if (key == "browser.gesture.pinch.threshold" && val == "150")
29.              os = "Mac";
30. var include = function(load, err) {
31. }
32.

33. include(function() {
34. console.log( "OS: " + (os ? os : "unknown") );
35. },function() {
36. console.log( "OS: n/a (not a Firefox)" );
37. });
38. </script>
The prefs & values the code is querying appears in about:config, as would many firefox.js settings.
Question for devs / Firefox experts: many prefs are reported to sites so they can display content, but are they allowed to access every setting in about:config - default or user set? 
This can't be correct.  That would make users very unique.
Is this bug somehow supposed to allow only querying firefox.js values & no other files? Why is that? If allowed access to firefox.js, why not all firefox files? 








--
tor-talk mailing list - [email protected]
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Reply via email to