Open Bug 1447935 Opened 2 years ago Updated 6 months ago

Bypasses found for Firefox Tracking Protection

Categories

(Toolkit :: Safe Browsing, defect, P3)

56 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: gertjan.franken, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-other, Whiteboard: tp-leak)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce:

We simulated an extensive set of web mechanisms that initiate cross-site requests to a blacklisted domain, while Firefox Tracking Protection’s strict blocking was enabled. Unfortunately, FTP did not manage to block all cross-site requests to the blacklisted domain. What follows is a list of web mechanisms that were able to bypass this countermeasure.

* AppCache API (caching a resource located on a blacklisted domain)
* Response headers (referring to the blacklisted domain)
   - Link rel=next
   - Link rel=prefetch
* HTML tags (referring to blacklisted domain)
   - <link rel="shortcut icon" href=“…”>
   - <link rel="apple-touch-icon image_src" href=“…”>
* EventSource API (referring to blacklisted domain)
* WebSocket API (opening a new web socket for the blacklisted domain)
* Fetch API, importScripts() used by ServiceWorker (referring to blacklisted domain)


Actual results:

The cross-site requests to the blacklisted domain were not blocked.


Expected results:

The cross-site requests to the blacklisted domain should have been blocked.
Component: Untriaged → Tracking Protection
(In reply to gertjan.franken from comment #0)
> * AppCache API (caching a resource located on a blacklisted domain)

Tracked in bug 1262339.

> * Response headers (referring to the blacklisted domain)
>    - Link rel=next
>    - Link rel=prefetch
> * HTML tags (referring to blacklisted domain)
>    - <link rel="shortcut icon" href=“…”>
>    - <link rel="apple-touch-icon image_src" href=“…”>

Also see bug 523095.

> * Fetch API, importScripts() used by ServiceWorker (referring to blacklisted
> domain)

Tracked in bug 1437626.

Note that these are likely not just a bypass of tracking protection, but also of Safe Browsing. I'm not sure it's directly exploitable by malware/phishing sites in that case, but it's still something we should fix.
Blocks: 1207775
Group: toolkit-core-security
Component: Tracking Protection → Safe Browsing
Priority: -- → P3
Product: Firefox → Toolkit
Group: firefox-core-security
Whiteboard: tp-leak
Trackers have used WebSockets to bypass resource blocking extensions (https://www.ieee-security.org/TC/SPW2018/ConPro/papers/bashir-conpro18.pdf). There's nothing specific to TP in the paper, but the same workarounds could be deployed against TP.
See Also: → 1483510
Attached file tpc-paper.pdf
I think we can make this bug public now.

The paper is here: https://wholeftopenthecookiejar.eu/

and has won the Distinguished Paper award at USENIX Security (congrats BTW!). So we can assume that anybody who can benefit from knowing these bypasses already knows about them.
Flags: needinfo?(dveditz)
Group: toolkit-core-security
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.