Closed
Bug 1469489
Opened 8 years ago
Closed 8 years ago
Webpages can show text - Security vulnerability
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1450564
People
(Reporter: ivan.kuckir, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Steps to reproduce:
Create a website with a code like this
<html><span style="font-family:'Arial'">Hello</span></html>
Actual results:
The text Hello is displayed.
Expected results:
The text Hello should not be displayed.
This is as an analogy to Canvas fingerprinting outside Canvas.
The attacker can test the availability of various fonts in your OS by measuring the bounding box of the <span>:
element.getBoundingClientRect()
and use it as a fingerprint for your device.
In canvas, we deal with it by filling the whole canvas with White whenever somebody calls fillText(). I propose a solution: replace all text, that a website tries to display, by a random number of "X" characters, rendered with a random font.
Example: instead of "Hello", the webpage should show "XXXXXXXX" or "XXXXXXXXXXX".
Comment 1•8 years ago
|
||
This is reproducible on windows 10 with the latest nightly.
Using the sample code in comment 0, the text "Hello" is displayed on the browser. It is also reproducible in other browsers.
Test env't
----------
Version 62.0a1
Build ID 20180622100109
Update Channel nightly
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•