Closed Bug 1693800 Opened 4 years ago Closed 4 years ago

Firefox leaking user agent attributes through JavaScript even when privacy.resistFingerprinting is enabled

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 85
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1557620

People

(Reporter: hello, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

I enabled privacy.resistFingerprinting.

When I visit https://duckduckgo.com/?q=what+is+my+user+agent&ia=answer, a spoofed user agent is displayed (as expected).

Your user agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

When I run console.log(navigator.userAgent), my system and operating system attributes were leaked.

Actual results:

My system and operating system attributes were leaked.

Expected results:

My system and operating system attributes should have been spoofed.

Sorry for the typos... noticed I cannot edit the description once submitted.

Group: firefox-core-security

Pretty sure this isn't a security issue that needs to be kept hidden, but I'll leave it moco-confidential and the anti-tracking folks can make a decision. Tom?

(In reply to Sun Knudsen from comment #0)

When I run console.log(navigator.userAgent)

Run how? The devtools console or from actual JS on the actual page?

Group: firefox-core-security → mozilla-employee-confidential
Component: Untriaged → Privacy: Anti-Tracking
Flags: needinfo?(tom)
Product: Firefox → Core

I just submitted a privacy vulnerability report to Tor... unfortunately this issue is also present on Tor 10.0.10 on macOS.

Pretty sure this isn't a security issue that needs to be kept hidden, but I'll leave it moco-confidential and the anti-tracking folks can make a decision. Tom?

Given this can be used in attempts to de-anonymize Tor users, I believe it should be kept secret.

Run how? The devtools console or from actual JS on the actual page?

Both (I noticed the issue browsing through sentry.io logs)

(In reply to Sun Knudsen from comment #4)

Pretty sure this isn't a security issue that needs to be kept hidden, but I'll leave it moco-confidential and the anti-tracking folks can make a decision. Tom?

Given this can be used in attempts to de-anonymize Tor users, I believe it should be kept secret.

OK, I went to actually look for this, but this is already public, cf. bug 1557620. So there's no point keeping it secret. There was discussion also in bug 1404608 if you're interested in the history behind that decision.

Group: mozilla-employee-confidential
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(tom)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.