Closed Bug 1704110 Opened 2 years ago Closed 1 year ago

Browser Tracking through Preflight Cache

Categories

(Core :: Privacy: Anti-Tracking, defect)

defect

Tracking

()

RESOLVED FIXED
92 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 92+ fixed
firefox90 --- wontfix
firefox91 --- wontfix
firefox92 --- fixed

People

(Reporter: tjr, Assigned: pbz)

References

(Blocks 1 open bug)

Details

(Keywords: privacy, sec-other, Whiteboard: [fingerprinting][tor][post-critsmash-triage][adv-main92-][adv-esr91.1-])

Attachments

(1 file, 1 obsolete file)

From https://evercookie.0x41.link/xhrpreflight/

Interesting take aways:
 - On the majority of browsers clearing an entire browser cache doesn't fix this ... you have to additionally restart the browser process.</li>
 - Tor Browser 'new identity' option fails and user can be corellated with previously used identities.

How this POC works :

 - User visits e.g. https://evercookie.0x41.link/xhrpreflight/.
 - A JS script generates a number of XHRs in order to set a randomly generated ID in browsers' XHR preflight cache
 - Another JS script maps out the previously injected ID from the browsers XHR preflight...
 - ID is displayed to the user (this can be used to set the tracking cookie)

This issue was filed in Tor Browser's HackerOne.

I actually couldn't quite get the POC to work, but it seems like it could. If this is the preflight cache it only ever gets fully cleared upon destruction (shutdown.) We should call it in other circumstances also...

(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #0)

From https://evercookie.0x41.link/xhrpreflight/
[...]
I actually couldn't quite get the POC to work, but it seems like it could. If this is the preflight cache it only ever gets fully cleared upon destruction (shutdown.) We should call it in other circumstances also...

It's working in Tor Browser (based on 78.9.0esr). I agree that this looks like the preflight cache, and Tor Browser isn't clearing that in its New Identity functionality. IIUC, for this POC, the server-side is allowing cross-origin requests that include a x-set request header, and rejecting all other cross-origin requests. The unique ID is composed of 8 randomly selected characters in [0-9a-f], then sorted. In the ID generation phase, the client generates an ID and then iterates over the characters in the ID and fetches them individually as the resources (/0, /1, etc.) with x-set included as a request header - this primes the cache only with characters in the ID. In the recovery phase, the script probes the preflight cache for every character by iterating over every possible character and requesting it as the resource again - success if a cached preflight entry is returned, thus allowing the request to go through, and error if the request goes out to the server (without a x-set header - not indicated in the preflight).

I'd be happy with either an observer of content.cors.disable (similar to security.OCSP.enabled) that clears/invalidates the cache, or a hook in the site data sanitizer? The latter may be more useful for Firefox users.

Let's see if the Anti-Tracking team is willing to take this as networking is oversubscribed.

Component: Networking: Cache → Privacy: Anti-Tracking

I suspect this this is a more general problem by the way. While we now partition most caches, including the CORS preflight cache in question here, I don't think we actively clear all of them when the user wishes to remove state.

See also bug 1696632 which is very similar.

(In reply to Anne (:annevk) from comment #3)

I suspect this this is a more general problem by the way. While we now partition most caches, including the CORS preflight cache in question here, I don't think we actively clear all of them when the user wishes to remove state.

See also bug 1696632 which is very similar.

Yes, that is true, historically Tor Browser has jumped through a few kludgy hoops as a way of working around this:
https://gitlab.torproject.org/tpo/applications/torbutton/-/blob/master/chrome/content/torbutton.js#L575

I wouldn't be surprised if there are other caches we are missing, though.

I put it on our triage list for tomorrow :)

Steve, can you try to verify this is an issue with clearing only in Firefox?

Flags: needinfo?(senglehardt)

(In reply to Johann Hofmann [:johannh] from comment #6)

Steve, can you try to verify this is an issue with clearing only in Firefox?

I tested this and verified that we do at least partition this cache, and can reproduce the POC: any approach to clearing data from the UI doesn't impact the site's ability to recover the ID.

We should aim to fix this alongside our other site data management issues, which doesn't need to be a security bug. However, we should keep this hidden due to the impact to Tor Browser's New Identity functionality

Flags: needinfo?(senglehardt)
Flags: needinfo?(jhofmann)
Blocks: 1102808

(In reply to Steven Englehardt [:englehardt] from comment #7)

We should aim to fix this alongside our other site data management issues, which doesn't need to be a security bug. However, we should keep this hidden due to the impact to Tor Browser's New Identity functionality

Okay, so this sounds like it's not a priority for you. Do you have a recommended approach that we can (potentially) uplift? From comment #1:

I'd be happy with either an observer of content.cors.disable (similar to security.OCSP.enabled) that clears/invalidates the cache, or a hook in the site data sanitizer? The latter may be more useful for Firefox users.

Obviously, I'd prefer inheriting a fix instead of writing it, if that's feasible in the short-term.

Flags: needinfo?(senglehardt)
Flags: needinfo?(se)

Paul do you have any thoughts on Comment 8?

Flags: needinfo?(pbz)

(In reply to Tom Ritter [:tjr] (OOTO, back June 28) from comment #9)

Paul do you have any thoughts on Comment 8?

In case it helps, I landed https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9c9884c27d5a1ee93dde9d78eda6df5707e816f8 as a quick-fix, tying it to |browser:purge-session-history|.

(With a small fix https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0f2ac709c04851627d75a7eb9ba32a4ecf7debf7)

I'm not sure if you'd take this for uplift, or if you want to go another route.

(In reply to Matthew Finkel [:sysrqb] from comment #10)

In case it helps, I landed https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9c9884c27d5a1ee93dde9d78eda6df5707e816f8 as a quick-fix, tying it to |browser:purge-session-history|.
(With a small fix https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0f2ac709c04851627d75a7eb9ba32a4ecf7debf7)
I'm not sure if you'd take this for uplift, or if you want to go another route.

Matthew, does that mean we can make this bug public now?

Flags: needinfo?(sysrqb)

(In reply to Matthew Finkel [:sysrqb] from comment #10)

I'm not sure if you'd take this for uplift, or if you want to go another route.

Thanks! I'll take a look at your patch. We might add a separate cleaner in ClearDataService for it.

Assignee: nobody → pbz
Status: NEW → ASSIGNED
Flags: needinfo?(pbz)

(In reply to Ethan Tseng [:ethan] from comment #11)

(In reply to Matthew Finkel [:sysrqb] from comment #10)

In case it helps, I landed https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9c9884c27d5a1ee93dde9d78eda6df5707e816f8 as a quick-fix, tying it to |browser:purge-session-history|.
(With a small fix https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0f2ac709c04851627d75a7eb9ba32a4ecf7debf7)
I'm not sure if you'd take this for uplift, or if you want to go another route.

Matthew, does that mean we can make this bug public now?

Ethan, thanks for asking. Let's keep it private for a few more days. We just released Tor Browser with this fix today, so this bug can become public at the beginning of next week.

Flags: needinfo?(sysrqb)
Attachment #9230090 - Attachment description: Bug 1704110 - Added PreflightCacheCleaner. r=timhuang!,#necko-reviewers → Bug 1704110 - Added PreflightCacheCleaner. r=johannh!,#necko-reviewers
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
Group: network-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [fingerprinting][tor] → [fingerprinting][tor][post-critsmash-triage]
Flags: needinfo?(jhofmann)

Is this something we should consider uplifting to 91 for the next ESR?

Flags: needinfo?(pbz)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #16)

Is this something we should consider uplifting to 91 for the next ESR?

FWIW, I'd appreciate that (at some point during the 91esr cycle) so I can drop my downstream patch. I don't see much harm in uplifting it sooner, but that's pbz's call.

Maybe we can do an ESR uplift once this had some bake time in 92 beta?

Flags: needinfo?(pbz)

The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(pbz)
Flags: needinfo?(pbz)
Flags: sec-bounty?

Hi Paul, is this ready for an ESR91 approval request?

Flags: needinfo?(pbz)

Yes, I think we should uplift to ESR soon. However, in Bug 1721084 we've discovered that we're over-clearing some cleaners, even for automated clearing by websites or the PurgeTrackerService. This should be addressed before uplifting. I've submitted a patch for review that specifically fixes it for the PreflightCacheCleaner. I'll update you once I have feedback from Johann.

Flags: sec-bounty? → sec-bounty+
Blocks: 1727146

Comment on attachment 9237072 [details]
Bug 1704110 - Only clear the preflight cache on user request. r=johannh!

Revision D123134 was moved to bug 1727146. Setting attachment 9237072 [details] to obsolete.

Attachment #9237072 - Attachment is obsolete: true

Comment on attachment 9230090 [details]
Bug 1704110 - Added PreflightCacheCleaner. r=johannh!,#necko-reviewers

ESR Uplift Approval Request

NOTE: Should be uplifted along with the fix-up here: https://phabricator.services.mozilla.com/D123134 which is currently in 93.

  • User impact if declined: Sites can use the preflight cache to set an in-memory supercookie, which users can't clear. This can be used for fingerprinting purposes.
    Also see https://bugzilla.mozilla.org/show_bug.cgi?id=1704110#c0
  • Fix Landed on Version: 92
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): The base patch had a cycle of bake time in 92. No reported regressions. Has an integration test.
    Medium risk, because the code change isn't trivial and updates some interfaces.
  • String or UUID changes made by this patch: none
Flags: needinfo?(pbz)
Attachment #9230090 - Flags: approval-mozilla-esr91?

Comment on attachment 9230090 [details]
Bug 1704110 - Added PreflightCacheCleaner. r=johannh!,#necko-reviewers

Approved for 91.1esr.

Attachment #9230090 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [fingerprinting][tor][post-critsmash-triage] → [fingerprinting][tor][post-critsmash-triage][adv-main92-]
Whiteboard: [fingerprinting][tor][post-critsmash-triage][adv-main92-] → [fingerprinting][tor][post-critsmash-triage][adv-main92-][adv-esr91.0.1-]
Whiteboard: [fingerprinting][tor][post-critsmash-triage][adv-main92-][adv-esr91.0.1-] → [fingerprinting][tor][post-critsmash-triage][adv-main92-][adv-esr91.1-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.