Closed
Bug 1396468
Opened 7 years ago
Closed 7 years ago
Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla57
People
(Reporter: ethan, Assigned: ethan)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor][fingerprinting][domsecurity-active])
Attachments
(1 file, 2 obsolete files)
2.09 KB,
patch
|
ethan
:
review+
gchang
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This is a follow-up of bug 1333651. https://bugzilla.mozilla.org/show_bug.cgi?id=1383495#c23 This comment pointed out the value of navigator.oscpu should be spoofed as "Windows NT 6.1; Win64; x64" instead of "Window NT 6.1". Reference of navigator.oscpu: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/oscpu
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → ettseng
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [tor][fingerprinting]
Assignee | ||
Updated•7 years ago
|
Summary: Spoof Navigator.oscpu as "Windows NT 6.1; Win64; x64" when resisting fingerprinting is enabled → Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled
Assignee | ||
Updated•7 years ago
|
Whiteboard: [tor][fingerprinting] → [tor][fingerprinting][domsecurity-active]
Assignee | ||
Comment 1•7 years ago
|
||
Just as bug 1383495, we might want to uplift this to Beta 56.
Attachment #8904105 -
Flags: review?(ehsan)
Assignee | ||
Comment 2•7 years ago
|
||
Comment on attachment 8904105 [details] [diff] [review] bug-1396468.patch Cancel the review request. I forgot to change the test case.
Attachment #8904105 -
Flags: review?(ehsan) → review-
Assignee | ||
Updated•7 years ago
|
Attachment #8904105 -
Flags: review-
Assignee | ||
Comment 3•7 years ago
|
||
Hi Ehsan, Could you review this patch? It's a follow-up of bug 1383495. According to https://developer.mozilla.org/en-US/docs/Web/API/Navigator/oscpu, the oscpuInfo string on Windows 64-bit should be Windows NT 6.1; Win64; x64.
Attachment #8904105 -
Attachment is obsolete: true
Attachment #8904310 -
Flags: review?(ehsan)
Comment 4•7 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1333933#c13 > Is anyone going to address the issue of the UA navigator.* spoofing items > that are not fully spoofed? UA http header will not match JS's value when it > queries navigator.userAgent. Or JS pulling the real values for say > navigator.platform or navigator.oscpu. Not to mention some of these "spoofs" > leak over iframes. Thanks for someone finally picking up on oscpu as mentioned. I suggest you double check platform, and test everything over iframes [1], seriously, go check them (I have not tested lately). I'll also assume you have headers covered to match any JS spoofing [2]. [1] https://browserleaks.com/javascript - click the iframe button [2] http://browserspy.dk/useragent.php
Comment 5•7 years ago
|
||
FYI: https://trac.torproject.org/projects/tor/ticket/23104 - CSS line height query leaks OS https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html - notably scrollbar thickness / Viewport Size eg my results: > Scrollbar thickness: right 17px, bottom 0px; Detected Windows
Assignee | ||
Updated•7 years ago
|
Blocks: uplift_tor_fingerprinting
Comment 6•7 years ago
|
||
Comment on attachment 8904310 [details] [diff] [review] bug-1396468.patch Review of attachment 8904310 [details] [diff] [review]: ----------------------------------------------------------------- Oops, this needs to be backported to beta, right?
Attachment #8904310 -
Flags: review?(ehsan) → review+
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to :Ehsan Akhgari (needinfo please, extremely long backlog) from comment #6) > Oops, this needs to be backported to beta, right? Yes! Hope we could make it.
Assignee | ||
Comment 8•7 years ago
|
||
Refresh the commit message "r=ehsan".
Attachment #8904310 -
Attachment is obsolete: true
Attachment #8905120 -
Flags: review+
Assignee | ||
Comment 9•7 years ago
|
||
(In reply to Simon Mainey from comment #4) > Thanks for someone finally picking up on oscpu as mentioned. I suggest you > double check platform, and test everything over iframes [1], seriously, go > check them (I have not tested lately). I'll also assume you have headers > covered to match any JS spoofing [2]. > [1] https://browserleaks.com/javascript - click the iframe button > [2] http://browserspy.dk/useragent.php Simon, Thanks for the information! Really helpful!
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 10•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/38323ec9e5da Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled. r=ehsan
Keywords: checkin-needed
Comment 11•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/38323ec9e5da
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Comment 12•7 years ago
|
||
(In reply to Simon Mainey from comment #5) > https://trac.torproject.org/projects/tor/ticket/23104 - CSS line height query leaks OS > https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html - notably scrollbar thickness / Viewport Size Do you want me to do anything with these two issues, eg filing new tickets?
Assignee | ||
Comment 13•7 years ago
|
||
(In reply to Simon Mainey from comment #12) > (In reply to Simon Mainey from comment #5) > > https://trac.torproject.org/projects/tor/ticket/23104 - CSS line height query leaks OS > > https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html - notably scrollbar thickness / Viewport Size > Do you want me to do anything with these two issues, eg filing new tickets? That would be great. Please file bugs and add me to the CC list. Thanks!
Assignee | ||
Comment 14•7 years ago
|
||
Comment on attachment 8905120 [details] [diff] [review] bug-1396468.patch Approval Request Comment [Feature/Bug causing the regression]: N/A [User impact if declined]: A weakness in fingerprinting protection [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: N/A [Is the change risky?]: No [Why is the change risky/not risky?]: We only changed one constant definition [String changes made/needed]: N/A
Attachment #8905120 -
Flags: approval-mozilla-beta?
Comment 15•7 years ago
|
||
(In reply to Ethan Tseng [:ethan] from comment #13) > That would be great. Please file bugs and add me to the CC list. > Thanks! I don't know how to CC someone, so I flagged them both as needinfo from you: Bug 1397994 and Bug 1397996
Assignee | ||
Comment 16•7 years ago
|
||
(In reply to Simon Mainey from comment #15) > I don't know how to CC someone, so I flagged them both as needinfo from you: > Bug 1397994 and Bug 1397996 That is fine. Thanks for filing those bugs. I set some flags so we will triage and process them in the near future. p.s. How to CC people? [Edit Bug] > [People] > [CC] > [Add]
Updated•7 years ago
|
status-firefox56:
--- → affected
Comment 17•7 years ago
|
||
Comment on attachment 8905120 [details] [diff] [review] bug-1396468.patch Fix a fingerprinting protection issue. Beta56+.
Attachment #8905120 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 18•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/715dcb4d80a6
Flags: in-testsuite+
Comment 19•7 years ago
|
||
The patch introduced here causes websites to assume that the client is running on a desktop OS. That has unintended side effects on Firefox for Android. See Bug 1409001
Assignee | ||
Comment 20•7 years ago
|
||
(In reply to Cyrus Patel from comment #19) > The patch introduced here causes websites to assume that the client is > running on a desktop OS. That has unintended side effects on Firefox for > Android. See Bug 1409001 Cyrus, thanks for reporting the issue. We are aware of it and already track it in bug 1404608.
See Also: → 1404608
You need to log in
before you can comment on or make changes to this bug.
Description
•