Open Bug 1447935 Opened 2 years ago Updated 6 months ago
Bypasses found for Firefox Tracking Protection
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce: We simulated an extensive set of web mechanisms that initiate cross-site requests to a blacklisted domain, while Firefox Tracking Protection’s strict blocking was enabled. Unfortunately, FTP did not manage to block all cross-site requests to the blacklisted domain. What follows is a list of web mechanisms that were able to bypass this countermeasure. * AppCache API (caching a resource located on a blacklisted domain) * Response headers (referring to the blacklisted domain) - Link rel=next - Link rel=prefetch * HTML tags (referring to blacklisted domain) - <link rel="shortcut icon" href=“…”> - <link rel="apple-touch-icon image_src" href=“…”> * EventSource API (referring to blacklisted domain) * WebSocket API (opening a new web socket for the blacklisted domain) * Fetch API, importScripts() used by ServiceWorker (referring to blacklisted domain) Actual results: The cross-site requests to the blacklisted domain were not blocked. Expected results: The cross-site requests to the blacklisted domain should have been blocked.
Component: Untriaged → Tracking Protection
(In reply to gertjan.franken from comment #0) > * AppCache API (caching a resource located on a blacklisted domain) Tracked in bug 1262339. > * Response headers (referring to the blacklisted domain) > - Link rel=next > - Link rel=prefetch > * HTML tags (referring to blacklisted domain) > - <link rel="shortcut icon" href=“…”> > - <link rel="apple-touch-icon image_src" href=“…”> Also see bug 523095. > * Fetch API, importScripts() used by ServiceWorker (referring to blacklisted > domain) Tracked in bug 1437626. Note that these are likely not just a bypass of tracking protection, but also of Safe Browsing. I'm not sure it's directly exploitable by malware/phishing sites in that case, but it's still something we should fix.
Component: Tracking Protection → Safe Browsing
Priority: -- → P3
Product: Firefox → Toolkit
Trackers have used WebSockets to bypass resource blocking extensions (https://www.ieee-security.org/TC/SPW2018/ConPro/papers/bashir-conpro18.pdf). There's nothing specific to TP in the paper, but the same workarounds could be deployed against TP.
I think we can make this bug public now. The paper is here: https://wholeftopenthecookiejar.eu/ and has won the Distinguished Paper award at USENIX Security (congrats BTW!). So we can assume that anybody who can benefit from knowing these bypasses already knows about them.
You need to log in before you can comment on or make changes to this bug.