Attackers could bypass LetterBox in tor browser
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: c4waero9, Unassigned)
References
Details
Attachments
(1 file)
12.42 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Steps to reproduce:
Proof of concept of a webpage which allows attackers to bypass LetterBox and get the actual screen dimensions of a user [works on tor too].
Proof of concept video: https://vimeo.com/745627089
Actual results:
The script I designed only displays the screen dimensions to the user, but of course and attacker could set a server which sends this info to them.
Proof of concept video: https://vimeo.com/745627089
Expected results:
LetterBox should have worked as expected and prevented the webpage from knowing the exact screen size of the user.
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
GitHub repo for further information: https://github.com/a7maadf/Bypass-LetterBoxing
Updated•2 years ago
|
Comment 3•2 years ago
|
||
IMO this is a duplicate of Bug 1450401
Bug 1450401, initially about leaking screen (which also leaks if you resize), so hence LBing to mitigate changes to chrome, manual resizing, maximizing, includes LBing info as a known limitation, and the title covers still covers it: "mozFullScreen leaks exact screen resolution", in fact even if LBing were working in fullscreen, the margins are enough to still be able to almost always extrapolate the screen size from known aspect ratios and calculated zoom/dPI/device pixel ratio (LBing is desktop only)
adding LBing to fullscreen won't stop the entropy IMO
I have no idea how feasible, but we should either gate FS API harder or disable it to properly mitigate = all in Bug 1450401
Dear all,
it appears that this vulnerability has been around for quite some time, as there have been bug reports about it for years (I personally never came across any of them before seeing the comments, hell I even thought that I am the first one to get across it); it also appears that Mozilla aren't planning to fix it anytime soon, so in the interim, I built an addon (extension) that will protect you and let you know if the website you're trying to access is vulnerable or not.
The extension is currently being reviewed by mozilla so until then you'd have to install it manually though my public github repo (https://github.com/a7maadf/LetterBoxingADV)
Regards,
Ahmad
Updated•2 years ago
|
Updated•2 years ago
|
Description
•