1805101 - Unable to login to sites using kasada.io anti-bot protection (eg twitch.tv and nike.com) if privacy.resistFingerprinting is enabled

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, defect, P3)

Description

[Scott Percival]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0

Steps to reproduce:

• Have privacy.resistFingerprinting enabled
• Visit https://www.twitch.tv/login, refresh the page with network tools open
• Attempt to login

Actual results:

• As a precursor step, Twitch will send a POST to https://passport.twitch.tv/integrity. With privacy.resistFingerprinting enabled, the "duration" field on the x-kpsdk-cd header for that request (based on using performance.now() to measure before and after a piece of work) will have rounded down to zero. This is apparently not acceptable and will block with a 400, and the website will display the misleading error message "Your browser is not currently supported. Please use a recommended browser or learn more here.".

Expected results:

When x-kpsdk-cd has a non-zero duration, the POST to https://passport.twitch.tv/integrity will return a 200 with a token used for the next part of the login process as normal.
I'm aware that ruining the timer accuracy is very much an intentional part of privacy.resistFingerprinting, and disabling it is a viable workaround for now. Really this should be on Twitch to fix their API, but I just wanted to document this here given that the site's error message blames the user's choice of browser.
This is based on my reverse-engineering the client-side integrity check code, more information can be found in the thread at https://digipres.club/web/@moralrecordings/109496071241946138

Comment 1

[Scott Percival]

In an added bit of frustration it looks like CloudFront can sometimes cache the 400 response to the integrity check. On a couple of computers I had to change privacy.resistFingerprinting to false, then delete all of the Twitch cookies to force a cache miss, and logging in worked.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 3

[Tom Ritter [:tjr]]

Very much like youtube's problem in Bug 1756970....

Comment 4

[Kestrel]

The x-kpsdk-cd request header is reportedly used by Kasada anti-bot protection, so multiple sites will be affected including nike.com (mentioned in Bug 1621729 Comment 18).

Bug 1811567 removed some performance API restrictions but login still fails with duration value of 0 or 16.667.

Comment 5

[Thorin [:thorin]]

but login still fails

is this a false positive and the real reason is the OS header !== the JS navigator when on linux/mac? Or does this still happen on windows? We should close that anyway for Firefox RFP and put it behind a flag for Tor Browser

Comment 6

[Kestrel]

twitch.tv login works on Windows with RFP (including before Bug 1811567) but not on Linux (even with UA changed to Linux).

nike.com login fails on both Windows and Linux with RFP and the following loosened settings:

privacy.resistFingerprinting = true	
privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts = false	
privacy.resistFingerprinting.exemptedDomains = *.nike.com	
privacy.resistFingerprinting.randomDataOnCanvasExtract = false	
privacy.resistFingerprinting.reduceTimerPrecision.jitter = false	
privacy.resistFingerprinting.reduceTimerPrecision.microseconds = 1	
privacy.resistFingerprinting.testGranularityMask = 4
general.useragent.override = Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0

Kasada uses VM obfuscation.

Comment 7

[Thorin [:thorin]]

with RFP and the following loosened settings ... general.useragent.override

general.useragent.override is ignored when RFP is enabled - just saying. You would need to use an extension to change any JS / HTTP header to test it ... or wait for RFP granularity

Comment 8

[Kestrel]

All the settings were used together and general.useragent.override does work for the HTTP header and navigator with an RFP domain exemption. It indicates the problem lies with features that have not yet been migrated to finer granularity control.

Without the RFP domain exemption, I used the extension User Agent Switcher to change UA.

It looks like it will be possible to toggle individual features with privacy.resistFingerprintingLite.overrides in the future which will be helpful for troubleshooting sites like this.

Comment 9

[Tom Schuster]

Thanks for the update. We actually seem to have a bug that causes us to not apply the resist fingerprinting exemption in this case.

Comment 10

[Tom Schuster]

The problem comes down to Document::RecomputeResistFingerprinting(), which uses the mChannel for calculating the resist fingerprinting state. However the fingerprinting script on nike.com seems to create an about:blank iframe, where the channel is never non-null. I am going to attach a test case that shows this problem.

I think the only way to fix this is to use the NodePrincipal() and nsContentUtils::ShouldResistFingerprinting_dangerous. We can then call RecomputeResistFingerprinting at the end of Document::SetPrincipals.

Comment 11

[Tom Schuster]

Attachment: Test case with null mChannel Document

Comment 12

[Tom Schuster]

Attachment: Bug 1805101 - Document::RecomputeResistFingerprinting should work with null mChannel. r?emilio!,tjr!

Comment 13

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a RFP test that runs in an about:blank document r?evilpie

Comment 14

[Tom Ritter [:tjr]]

I've attached a test that extends your test - this one will fail tests A/B with the current version of central, which is what this bug is about - RFP isn't being exempted correctly when it should be.

With the current version of your patch, it fails on tests G/H, which is the cookiejarsettings preventing an exempted subframe from being exempted when the framer is non-exempted.

Comment 15

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: If there _is_ a parent document, refer to it to determine if RFP should be exempted r?smaug

Comment 16

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Improve the event comparison in multiple RFP tests r?tschuster

Depends on D175505

Comment 17

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Replace JSON stringify with StructredClone and partial with Function.bind r?tschuster

Depends on D177085

Comment 18

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Clarify the purpose of the cross-origin domain, and don't pass them everywhere r?tschuster

Depends on D177086

Comment 19

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a hwconcurrency test that doesn't use about:blank r?tschuster

This is a dead-simple test that will run quickly and
be easily debuggable (via printf debugging).

Depends on D177087

Comment 20

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a test for blob: documents r?tschuster

Depends on D177088

Comment 21

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a test for about:srcdoc r?tschuster

Depends on D177089

Comment 22

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a test with a sandboxed iframe r?tschuster

Depends on D177090

Comment 23

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a test for data: documents r?tschuster

Depends on D177091

Comment 24

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Improve the postMessage data object that is passed r?tschuster

Depends on D177085

Comment 25

[Tom Ritter [:tjr]]

Attachment: Bug 1805101: Add a test for a blob framed by a cross-origin document r?tschuster

This may not be possible.

Depends on D177193

Comment 26

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f79b0f21590a
If there _is_ a parent document, refer to it to determine if RFP should be exempted r=smaug,emilio
https://hg.mozilla.org/integration/autoland/rev/f78e24f7106d
Add a RFP test that runs in an about:blank document r=tschuster
https://hg.mozilla.org/integration/autoland/rev/e8c61d54bf1a
Improve the event comparison in multiple RFP tests r=tschuster
https://hg.mozilla.org/integration/autoland/rev/8bdd7a866d06
Improve the postMessage data object that is passed r=tschuster
https://hg.mozilla.org/integration/autoland/rev/ff9f6f1fecc0
Replace JSON stringify with StructredClone and partial with Function.bind r=tschuster
https://hg.mozilla.org/integration/autoland/rev/f79a9b025f85
Clarify the purpose of the cross-origin domain, and don't pass them everywhere r=tschuster
https://hg.mozilla.org/integration/autoland/rev/0aab7f02e865
Add a hwconcurrency test that doesn't use about:blank r=tschuster
https://hg.mozilla.org/integration/autoland/rev/3523dc5f0da4
Add a test for blob: documents r=tschuster
https://hg.mozilla.org/integration/autoland/rev/6dd60d08cb1a
Add a test for about:srcdoc r=tschuster
https://hg.mozilla.org/integration/autoland/rev/c060ab2847e2
Add a test with a sandboxed iframe r=tschuster
https://hg.mozilla.org/integration/autoland/rev/acb86e6b9a72
Add a test for data: documents r=tschuster
https://hg.mozilla.org/integration/autoland/rev/a7fad82e97d9
Add a test for a blob framed by a cross-origin document r=tschuster

Comment 28

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/f79b0f21590a
https://hg.mozilla.org/mozilla-central/rev/f78e24f7106d
https://hg.mozilla.org/mozilla-central/rev/e8c61d54bf1a
https://hg.mozilla.org/mozilla-central/rev/8bdd7a866d06
https://hg.mozilla.org/mozilla-central/rev/ff9f6f1fecc0
https://hg.mozilla.org/mozilla-central/rev/f79a9b025f85
https://hg.mozilla.org/mozilla-central/rev/0aab7f02e865
https://hg.mozilla.org/mozilla-central/rev/3523dc5f0da4
https://hg.mozilla.org/mozilla-central/rev/6dd60d08cb1a
https://hg.mozilla.org/mozilla-central/rev/c060ab2847e2
https://hg.mozilla.org/mozilla-central/rev/acb86e6b9a72
https://hg.mozilla.org/mozilla-central/rev/a7fad82e97d9