Closed Bug 1472923 Opened 7 years ago Closed 7 years ago

Detecting registered URI schemes leads to fingerprinting

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 680300

People

(Reporter: qab, Unassigned)

Details

(Keywords: privacy, sec-low, Whiteboard: [fingerprinting])

Attachments

(2 files)

schemer.html
19.65 KB, text/html
Details
schemer(small).html
905 bytes, text/html
Details
Attached file schemer.html
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Steps to reproduce: Warning: If testing on normal firefox (non-tor) keep in mind that the prompt asking you to choose which application to run the given uri scheme will be spammed. Reduce the size of the URI scheme array to something smaller to avoid freezing the entire browser. We can detect which URI schemes exist and which do not. Simply run the attached PoC in latest Tor (this requires javascript). Since Tor does not show any prompts when navigating to a registered URI schemes, this can safely run without a Tor user knowing. This works on latest unstable Tor 8.0a9 (based on Mozilla Firefox 60.1.0esr) (64-bit) and latest stable Tor as well. Actual results: I am mainly using the fact that when one attempts to navigate an iframe to an unregistered URI scheme, an error is thrown that can be caught by a trycatch. So if a given URI scheme throws on attempting to navigate, we safely assume it does not exist thus whatever program associated with it probably isn't installed. On windows, you can see which web accessible URI schemes are available by going to 'Computer\HKEY_CLASSES_ROOT\' using regedit. Then look for folders(?) that contain '\shell\open', if this entry/folder exists then this URI scheme is detectable in web. This is an example of what iTunes has registered: Computer\HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itmss\shell\open\command We can reliably detect which OS the user is on, on top of that we can detect which software is installed on the users computer. My list is not the biggest one nor cleanest one but the bigger the list, the more accurately one can fingerprint any given user. Any program that registers a URI scheme is detectable. Some example programs I am detecting using my list in the PoC: iTunes VLC Visual studio uTorrent Microsoft Word Skype and many more. Expected results: Do not throw a catchable error when navigating iframe to an unregistered URI scheme.
Attached file schemer(small).html
Use this PoC if testing on non-Tor Firefox This works on latest nightly for me.
sec-low for Firefox but the Tor guys might consider it more serious.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Keywords: privacy, sec-low
Whiteboard: [fingerprinting]
I believe this is a dupe of Bug 1437349 / Bug 680300
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: