Fingerprinting resistance against getUserMedia constraints doesn't work
Categories
(Core :: WebRTC: Audio/Video, defect)
Tracking
()
People
(Reporter: pehrsons, Assigned: pehrsons)
Details
(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main69+][adv-esr68.1+])
Attachments
(3 files)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
|
1.03 KB,
patch
|
Details | Diff | Splinter Review |
Found through bug 1565317 really, which was caused by bug 1560907.
Prior to bug 1560907 code for reducing a set of constraints looked like this:
// It looks like {audio: true}, do nothing.
if (!aConstraint.IsMediaTrackConstraints()) {
return;
}
// Keep mediaSource, ignore all other constraints.
auto& c = aConstraint.GetAsMediaTrackConstraints();
MOZ_DIAGNOSTIC_ASSERT(c.mMediaSource.WasPassed());
nsString mediaSource = c.mMediaSource.Value();
aConstraint.SetAsMediaTrackConstraints().mMediaSource.Construct(mediaSource);
But since aConstraint is already a MediaTrackConstraints, SetAsMediaTrackConstraints() does not Uninit and reset its values. The reduction is basically a no-op.
|
||
Comment 1•6 years ago
|
||
Thanks for catching this!
When we fix this, we should improve the test to catch this.
Two ways to test it:
- Compare
track.getConstraints()against passed-in constraints - Check for an impossible constraint (Thanks Andreas!) E.g.
{video: {width: {min: 9999}}}
As a side-note: About (1) perhaps we shouldn't make it so easy to detect that fingerprinting anti-measures are present? But that's for a follow-up issue perhaps.
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 2•6 years ago
|
||
|
|
Assignee | |
Comment 3•6 years ago
|
||
Depends on D37783
|
|
||
Comment 4•6 years ago
|
||
Andreas, what do you wanna do about the review in bug 1565317? My review comment is the Construct will fail because the value is already there, but I suspect you already know that. 😉
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #4)
Andreas, what do you wanna do about the review in bug 1565317? My review comment is the
Constructwill fail because the value is already there, but I suspect you already know that. 😉
Missed that actually. I'll just swap it to use Value() instead of Construct() so it can land. Otherwise the crash stays out there for longer.
|
||
Updated•6 years ago
|
|
|
||
Comment 6•6 years ago
|
||
Do we need sec review to land this? I'm not seeing a sec rating. I'd consider this sec-moderate fwiw.
|
||
Comment 7•6 years ago
|
||
https://wiki.mozilla.org/Security/Bug_Approval_Process
sec-moderate sounds appropriate (in which case you don't need sec-approval)
|
||
Comment 8•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/f3f26e1ed9c0a29f447212d9759d0cf723f4d447
https://hg.mozilla.org/integration/autoland/rev/3b125373365743fbc30bc93ef3ee74d865ce9be8
https://hg.mozilla.org/mozilla-central/rev/f3f26e1ed9c0
https://hg.mozilla.org/mozilla-central/rev/3b1253733657
|
||
Comment 9•6 years ago
|
||
Given that this is sec-moderate, I'm thinking we don't need to bother uplifting this to ESR60 given that it's nearing the end of its life cycle. That said, do we want this on Beta and ESR68? If so, please nominate :)
|
|
||
Comment 10•6 years ago
|
||
Comment on attachment 9077530 [details]
Bug 1565374 - Reset state. r?jib
Beta/Release Uplift Approval Request
- User impact if declined: Scripts may use probing techniques (e.g. bug 1528056)—that don't incur a user prompt—on the
getUserMediaAPI using constraints to reveal device properties of cameras on the system, adding bits to a fingerprint of the user's system, even on builds withprivacy.resistFingerprinting=true. - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple pref-only clearing of optional passed-in constraints argument.
- String changes made/needed: None
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Are there ESR builds built with
privacy.resistFingerprinting=true? If so, then this might be of importance to those builds. - User impact if declined: Same
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Same
- String or UUID changes made by this patch:
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 11•6 years ago
|
||
Comment on attachment 9077529 [details]
Bug 1565374 - Improve test. r?jib
Fixes a potential privacy leak via the getUserMedia API. Approved for 69.0b8 and 68.1esr (I'm sure our Tor friends will appreciate it since they set the privacy.resistFingerprinting pref).
|
|
||
Updated•6 years ago
|
|
|
||
Comment 12•6 years ago
|
||
Actually, this is going to need a rebased patch for uplift.
|
|
||
Comment 13•6 years ago
|
||
Backport patch for Beta and ESR.
|
|
||
Comment 14•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
Description
•