Closed Bug 1753823 Opened 4 years ago Closed 4 years ago

Screenshot fingerprinting with unique uuid

Categories

(Firefox :: Screenshots, defect)

Product:
Firefox
Component:
Screenshots
Version:
Firefox 96
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1414937

People

(Reporter: oreophilum, Unassigned)

Details

Attachments

(1 file)

screenshot-uuid.png
105.50 KB, image/png
Details
Attached image screenshot-uuid.png

Steps to reproduce:

  1. Go to https://earthlng.github.io/testpages/screenshots_FP.html
  2. Right click
  3. Click on "Take Screenshot"

See also: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40007#note_2774655

<h1>Mozilla Screenshots testpage</h1>
<h3>Mozilla Screenshots is awesome! Test it here and take a screenshot, you'll love it!</h3>
<img id="i" src="https://s26.postimg.org/swqpd6nev/1240885692.jpg">
<p><h3><div id="thx" style="color:red"></div></h3></p>
<script>
var intervalID = window.setInterval(myCallback, 500);
function myCallback() {
  let a = document.getElementById('firefox-screenshots-preselection-iframe');
  if (a) {
  	clearInterval(intervalID);
  	let aa = a.src.replace('moz-extension://','').replace('/blank.html','');
  	let b = document.getElementById('thx');
  	b.innerText = "It's great, isn't it?! Oh and thanks btw, we now have your unique and permanent Screenshots random-UUID: " + aa;
  	let c = document.getElementById('i');
  	c.src = "https://s26.postimg.org/g42ld9bt3/1240941693.jpg";
  }
}
</script>

Actual results:

The website adds a fingerprint. In the attached screenshot the above firefox window shows the website before the screenshot at step 1. The bottom firefox window shows the website after clicking on "Take screenshot" after step 3.

Expected results:

The website shouldn't be able to notice, that I'm creating a screenshot. And shouldn't have access to the screenshot unique uuid to fingerprint.

The Bugbug bot thinks this bug should belong to the 'Firefox::Screenshots' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Screenshots
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

I don't think this is a duplicate. The linked issue deals with origin headers. This issue deals with the ability of web pages to access DOM injected by extensions and/or access to "moz-ext" served resources (Bug 1717671) I do recall a petition for a "secure overlay API" which could prevent this kind of tracking (Bug 1340930)

I'm adjusting the duplicate bug reference here though to point at a secure bug we have on file to cover this specific issue. The proposed overlay API doesn't have any road map and is unlikely to happen any time soon. However we are actively addressing this issue in the bugs filed under 1696573.

Group: firefox-core-security
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: