Should we disable mix-blend-mode because it can lead to a history leakage attack?
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox57 | --- | wontfix |
People
(Reporter: tanvi, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: csectype-disclosure, privacy, Whiteboard: [userContextId])
Attachments
(1 file)
142.29 KB,
text/html
|
Details |
Reporter | ||
Comment 4•8 years ago
|
||
Comment 5•8 years ago
|
||
Reporter | ||
Comment 6•8 years ago
|
||
Comment 8•8 years ago
|
||
Updated•8 years ago
|
Reporter | ||
Updated•7 years ago
|
Updated•5 years ago
|
Comment 12•5 years ago
|
||
I cannot reproduce this on Nightly Linux, with WR enabled. As in, the attack doesn't reproduce / gives wrong results.
I would have expected bug 1632765 to render this attack useless. Is there a platform combination where the attack works?
Comment 13•4 years ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #12)
I cannot reproduce this on Nightly Linux, with WR enabled. As in, the attack doesn't reproduce / gives wrong results.
I would have expected bug 1632765 to render this attack useless. Is there a platform combination where the attack works?
The attack doesn't rely on timing. It just uses the visited link colors. You need to click on the mole you see - it's not very clear that this is what you need to do: clicking elsewhere on the page will return a different result depending on where you click: the 256 images are in a 16x16 grid
there are eight URLs used
https://www.cnn.com/
https://news.ycombinator.com/
https://www.reddit.com/
https://www.amazon.com/
https://twitter.com/lcamtuf
https://www.donaldjtrump.com/
https://www.farmersonly.com/
https://www.diapers.com/
the possible outcomes is the same as tossing a coin eight times (eight URLs in the sample) which is 256 combinations. If you look at the source code, it has <img src='mole.png' class='mole'>
256 times, but only one of them will be applied
I'm not going to test all 256 possible results: but it works correctly, I tested a couple of combos: it can't not work if the visited color pref is enabled: i.e there must always be only one possible outcome
It seems to me that the mix-blend-mode
part isn't all that interesting -- my understanding is that it's the part that this testcase uses to escalate the simple attack in comment 8 into something that can get more than one bit per interaction. I'd be somewhat surprised if it's the only way to do that; I suspect it's possible with interesting combinations of properties that have been part of the Web for much longer and are much more widely used.
Updated•2 years ago
|
Comment 15•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 3 duplicates.
:emilio, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Comment 16•1 year ago
•
|
||
For archival purposes / convenience, here's a copy of https://lcamtuf.coredump.cx/whack/ (lightly edited to use an inline data URI instead of an external PNG, to make it standalone).
I can still reproduce the issue with this testcase and latest Nightly. The mole shows up in a different location depending on whether I've e.g. visited https://twitter.com/lcamtuf or https://www.cnn.com/ or presumably the rest of the URLs in the testcase (and hence, clicking the mole reveals its position and hence this information about my browsing history to the page).
Description
•