Closed Bug 1788839 Opened 2 years ago Closed 2 years ago

Attackers could bypass LetterBox in tor browser

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1450401

People

(Reporter: c4waero9, Unassigned)

References

Details

Attachments

(1 file)

index.html
12.42 KB, text/html
Details
Attached file index.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

Steps to reproduce:

Proof of concept of a webpage which allows attackers to bypass LetterBox and get the actual screen dimensions of a user [works on tor too].
Proof of concept video: https://vimeo.com/745627089

Actual results:

The script I designed only displays the screen dimensions to the user, but of course and attacker could set a server which sends this info to them.
Proof of concept video: https://vimeo.com/745627089

Expected results:

LetterBox should have worked as expected and prevented the webpage from knowing the exact screen size of the user.

The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Component: Audio/Video: Playback → Security

GitHub repo for further information: https://github.com/a7maadf/Bypass-LetterBoxing

IMO this is a duplicate of Bug 1450401

Bug 1450401, initially about leaking screen (which also leaks if you resize), so hence LBing to mitigate changes to chrome, manual resizing, maximizing, includes LBing info as a known limitation, and the title covers still covers it: "mozFullScreen leaks exact screen resolution", in fact even if LBing were working in fullscreen, the margins are enough to still be able to almost always extrapolate the screen size from known aspect ratios and calculated zoom/dPI/device pixel ratio (LBing is desktop only)

adding LBing to fullscreen won't stop the entropy IMO

I have no idea how feasible, but we should either gate FS API harder or disable it to properly mitigate = all in Bug 1450401

Flags: needinfo?(tom)

Dear all,
it appears that this vulnerability has been around for quite some time, as there have been bug reports about it for years (I personally never came across any of them before seeing the comments, hell I even thought that I am the first one to get across it); it also appears that Mozilla aren't planning to fix it anytime soon, so in the interim, I built an addon (extension) that will protect you and let you know if the website you're trying to access is vulnerable or not.
The extension is currently being reviewed by mozilla so until then you'd have to install it manually though my public github repo (https://github.com/a7maadf/LetterBoxingADV)
Regards,
Ahmad

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: