Closed Bug 1469489 Opened 8 years ago Closed 8 years ago

Webpages can show text - Security vulnerability

Categories

(Core :: DOM: Security, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1450564

People

(Reporter: ivan.kuckir, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Steps to reproduce: Create a website with a code like this <html><span style="font-family:'Arial'">Hello</span></html> Actual results: The text Hello is displayed. Expected results: The text Hello should not be displayed. This is as an analogy to Canvas fingerprinting outside Canvas. The attacker can test the availability of various fonts in your OS by measuring the bounding box of the <span>: element.getBoundingClientRect() and use it as a fingerprint for your device. In canvas, we deal with it by filling the whole canvas with White whenever somebody calls fillText(). I propose a solution: replace all text, that a website tries to display, by a random number of "X" characters, rendered with a random font. Example: instead of "Hello", the webpage should show "XXXXXXXX" or "XXXXXXXXXXX".
This is reproducible on windows 10 with the latest nightly. Using the sample code in comment 0, the text "Hello" is displayed on the browser. It is also reproducible in other browsers. Test env't ---------- Version 62.0a1 Build ID 20180622100109 Update Channel nightly User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.