Open Bug 1636005 Opened 5 years ago Updated 9 months ago

Default submit button label length allows browser language fingerprinting

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: u635660, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?][fingerprinting][domsecurity-backlog1])

Attachments

(4 files)

PoC.html
1.65 KB, text/html
Details
bruh momet 2.PNG
41.39 KB, image/png
Details
bruh moment.PNG
41.34 KB, image/png
Details
don't change your language
133.55 KB, image/png
Details
Attached file PoC.html

I found a way to detect a users UI language here is how to reproduce first go to the HTML file POC and then change your browser language to chinese (china) The page should be able to tell you "Your browser UI language is: Simplified Chinese".
and then change the language to english and then open the file and it should be able to tell you "Your browser UI language is: English".

The trick is that when I specify a button <input type="submit"> without a "value" property, the default text of the button depends on the UI language. If the UI language is Chinese, its text is 提交查询; if the UI language is English, its text is "Submit Query". Thus, these two buttons will have different width. If its width equals the width of <input type="submit" value="Submit Query">, the UI language is English. If its width equals the width of <input type="submit" value="提交查询">, the UI language is Simplified Chinese.

To fix this, always use the button with default text in English.
tested on windows 10 on the latest version of firefox

Flags: sec-bounty?
Attached image bruh momet 2.PNG

here is one of the poc images

Attached image bruh moment.PNG

here is another one

Chromium seems to have the same issue. Did you report to them as well? If so, can you link us to the ticket you filed?

(In reply to planetman1125 from comment #0)

To fix this, always use the button with default text in English.

This would be a poor experience for most of Firefox's users, who do not use English.

It'd be better to select some default size for the text in the button that is big enough to accommodate all supported languages, and "pretend" that that is the size of the text, irrespective of the actual text (which should be centered in that box). But that's probably not trivial to implement.

I'm not sure to what degree this is a losing battle short of actually using English everywhere - I expect date/number formatting details, the accept-language headers, and geoip information already provide similar information, as does the language used for error messages from JS errors.

Tom, is this on your / the TOR browser team's radar already? What's the overall approach?

Group: firefox-core-security → layout-core-security
Status: UNCONFIRMED → NEW
Type: task → defect
Component: Security → Layout: Form Controls
Ever confirmed: true
Flags: needinfo?(tom)
Flags: needinfo?(planetman1125)
Product: Firefox → Core
Summary: detecting firefox broswer ui language → Default submit button label length allows browser language fingerprinting

hi gijs I am unable to reproduce it on chrome as when I open it says Your browser UI language is not Simplified Chinese nor English it should say may language such as English or simplified Chinese

Flags: needinfo?(planetman1125)

Tor already fixed it here is there approach https://trac.torproject.org/projects/tor/ticket/24056

(In reply to planetman1125 from comment #4)

hi gijs I am unable to reproduce it on chrome as when I open it says Your browser UI language is not Simplified Chinese nor English it should say may language such as English or simplified Chinese

I mean, I didn't use your poc, but I simply checked visually the text and width of the button when changing the language (which Chrome allows on Windows), and it says "Submit" in English and "Verzenden" in Dutch, and the button width changes. So perhaps your scripted PoC as-is doesn't work, but the width difference is clearly going to be there and is going to be detectable, esp. if you're able to change the font used to monospace via CSS (which I just tested and also works).

(In reply to planetman1125 from comment #5)

Tor already fixed it here is there approach https://trac.torproject.org/projects/tor/ticket/24056

Right, I don't think that approach (using English for all form control text) will be acceptable as the default in Firefox. Perhaps behind a resistFingerprinting pref, but even then it seems unfortunate.

We even advertise the locale in the navigator.language and navigator.languages variables (which Tor spoofs). Firefox is not Tor, and does not make the same anonymity guarantees. We have taken many Tor patches so they can simply flip prefs to make these kinds of changes, but I can guarantee we would not show these buttons in English for all users.

Whether we fix this in Firefox or not it definitely doesn't need to be a hidden security bug when the Tor issue is public.

Flags: sec-bounty? → sec-bounty-
Group: layout-core-security

Adding cc's but leaving ni

If you (emphasis mine) "change your browser language to chinese" well then it's chinese. If you then "change the language to english", well then it's going to be english. Even your headers change. Because, well .. you know, you changed the language

Tor Browser and FF use privacy.spoof_english : user is prompted on first TB start (and FF on first RFP flip) on non en-US builds if they want to spoof as English. If they answer "yes", then the pref is set to 2 and intl.accept_languages is set to en-US, en (and I think there's another pref).

We even advertise the locale in the navigator.language and navigator.languages variables (which Tor spoofs)

Only if the user accepts the spoof english dialog (same on Firefox)

Will attach picture of Simplified Chinese build (76), nilla profile, changed RFP to true, got prompt to ask if I would like to ask be English to web content, I said yes

We can close this as invalid

Because this bug's Severity is normal and has not been changed, and this bug's priority is -- (none,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → --

Triaging this bug in layout component. Based on the previous discussion, this is related to fingerprinting, not a layout rendering issue. I'll move the component, and leave the severity unset for now.

Component: Layout: Form Controls → DOM: Security
Severity: -- → S4
Priority: -- → P3
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][fingerprinting][domsecurity-backlog1]

From the point of view of Tor/Resist Fingerprinting, this is fixed.

Given the extensive places where one needs to spoof to get it working, this might be WONTFIX from the point of view of regular Firefox. but the code to do so is there, so I won't close this for right now until someone else makes that decision.

Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: