Closed Bug 1396468 Opened 7 years ago Closed 7 years ago

Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: ethan, Assigned: ethan)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor][fingerprinting][domsecurity-active])

Attachments

(1 file, 2 obsolete files)

This is a follow-up of bug 1333651.

https://bugzilla.mozilla.org/show_bug.cgi?id=1383495#c23
This comment pointed out the value of navigator.oscpu should be spoofed as
"Windows NT 6.1; Win64; x64" instead of "Window NT 6.1".


Reference of navigator.oscpu:
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/oscpu
Assignee: nobody → ettseng
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [tor][fingerprinting]
Summary: Spoof Navigator.oscpu as "Windows NT 6.1; Win64; x64" when resisting fingerprinting is enabled → Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled
Whiteboard: [tor][fingerprinting] → [tor][fingerprinting][domsecurity-active]
See Also: → 1383495
Attached patch bug-1396468.patch (obsolete) — Splinter Review
Just as bug 1383495, we might want to uplift this to Beta 56.
Attachment #8904105 - Flags: review?(ehsan)
Comment on attachment 8904105 [details] [diff] [review]
bug-1396468.patch

Cancel the review request.
I forgot to change the test case.
Attachment #8904105 - Flags: review?(ehsan) → review-
Attachment #8904105 - Flags: review-
Attached patch bug-1396468.patch (obsolete) — Splinter Review
Hi Ehsan,

Could you review this patch?

It's a follow-up of bug 1383495.
According to https://developer.mozilla.org/en-US/docs/Web/API/Navigator/oscpu,
the oscpuInfo string on Windows 64-bit should be Windows NT 6.1; Win64; x64.
Attachment #8904105 - Attachment is obsolete: true
Attachment #8904310 - Flags: review?(ehsan)
https://bugzilla.mozilla.org/show_bug.cgi?id=1333933#c13

> Is anyone going to address the issue of the UA navigator.* spoofing items
> that are not fully spoofed? UA http header will not match JS's value when it
> queries navigator.userAgent. Or JS pulling the real values for say
> navigator.platform or navigator.oscpu. Not to mention some of these "spoofs"
> leak over iframes.

Thanks for someone finally picking up on oscpu as mentioned. I suggest you double check platform, and test everything over iframes [1], seriously, go check them (I have not tested lately). I'll also assume you have headers covered to match any JS spoofing [2].

[1] https://browserleaks.com/javascript - click the iframe button
[2] http://browserspy.dk/useragent.php
FYI:

https://trac.torproject.org/projects/tor/ticket/23104 - CSS line height query leaks OS
https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html - notably scrollbar thickness / Viewport Size

eg my results:
> Scrollbar thickness: right 17px, bottom 0px; Detected Windows
Comment on attachment 8904310 [details] [diff] [review]
bug-1396468.patch

Review of attachment 8904310 [details] [diff] [review]:
-----------------------------------------------------------------

Oops, this needs to be backported to beta, right?
Attachment #8904310 - Flags: review?(ehsan) → review+
(In reply to :Ehsan Akhgari (needinfo please, extremely long backlog) from comment #6)
> Oops, this needs to be backported to beta, right?

Yes!  Hope we could make it.
Refresh the commit message "r=ehsan".
Attachment #8904310 - Attachment is obsolete: true
Attachment #8905120 - Flags: review+
(In reply to Simon Mainey from comment #4)
> Thanks for someone finally picking up on oscpu as mentioned. I suggest you
> double check platform, and test everything over iframes [1], seriously, go
> check them (I have not tested lately). I'll also assume you have headers
> covered to match any JS spoofing [2].
> [1] https://browserleaks.com/javascript - click the iframe button
> [2] http://browserspy.dk/useragent.php

Simon,

Thanks for the information! Really helpful!
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/38323ec9e5da
Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled. r=ehsan
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/38323ec9e5da
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
(In reply to Simon Mainey from comment #5)
> https://trac.torproject.org/projects/tor/ticket/23104 - CSS line height query leaks OS
> https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html - notably scrollbar thickness / Viewport Size

Do you want me to do anything with these two issues, eg filing new tickets?
(In reply to Simon Mainey from comment #12)
> (In reply to Simon Mainey from comment #5)
> > https://trac.torproject.org/projects/tor/ticket/23104 - CSS line height query leaks OS
> > https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html - notably scrollbar thickness / Viewport Size 
> Do you want me to do anything with these two issues, eg filing new tickets?

That would be great.  Please file bugs and add me to the CC list.
Thanks!
Comment on attachment 8905120 [details] [diff] [review]
bug-1396468.patch

Approval Request Comment
[Feature/Bug causing the regression]: N/A
[User impact if declined]: A weakness in fingerprinting protection
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: N/A
[Is the change risky?]: No
[Why is the change risky/not risky?]: We only changed one constant definition
[String changes made/needed]: N/A
Attachment #8905120 - Flags: approval-mozilla-beta?
(In reply to Ethan Tseng [:ethan] from comment #13)
> That would be great.  Please file bugs and add me to the CC list.
> Thanks!

I don't know how to CC someone, so I flagged them both as needinfo from you: Bug 1397994 and Bug 1397996
(In reply to Simon Mainey from comment #15)
> I don't know how to CC someone, so I flagged them both as needinfo from you:
> Bug 1397994 and Bug 1397996

That is fine. Thanks for filing those bugs.
I set some flags so we will triage and process them in the near future.

p.s. How to CC people?
[Edit Bug] > [People] > [CC] > [Add]
Comment on attachment 8905120 [details] [diff] [review]
bug-1396468.patch

Fix a fingerprinting protection issue. Beta56+.
Attachment #8905120 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
The patch introduced here causes websites to assume that the client is running on a desktop OS. That has unintended side effects on Firefox for Android. See Bug 1409001
(In reply to Cyrus Patel from comment #19)
> The patch introduced here causes websites to assume that the client is
> running on a desktop OS. That has unintended side effects on Firefox for
> Android. See Bug 1409001

Cyrus, thanks for reporting the issue.
We are aware of it and already track it in bug 1404608.
See Also: → 1404608
See Also: → 1511434
You need to log in before you can comment on or make changes to this bug.