Closed Bug 1828538 Opened 2 years ago Closed 2 years ago

Relay extension reveals unique user fingerprint

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [fingerprinting])

I can't find a bug on this but I know we've discussed it internally. The Firefox Relay extension adds detectable content to web pages with email fields. Not only does it reveal "this is a Relay user", it actually reveals a unique identifier for the user that can be used for tracking. For example, a page can do:

document.querySelector("#fx-relay-button")?.style["background-image"]

Adding :maxx.

Note: We changed the add-on to put the content in an iframe, so a page CANNOT see the list of someone's aliases:

https://github.com/mozilla/fx-private-relay-add-on/blob/ef22b492b290cb19b0ae93f83914d7ec939591f8/src/js/other-websites/add_input_icon.js#L82-L105

But you're right - we still add an element to the page that reveals the existence of the Relay button to the page. I don't think we ever designed a way to add the button to the page in a way that's invisible to the page. Not sure that's even possible?

Mitigation (:maxx to verify): When a user disables the in-page icon, we don't add anything to the page that could be detected.

Flags: needinfo?(mcrawford)

(In reply to Luke Crouch [:groovecoder] from comment #2)

But you're right - we still add an element to the page that reveals the existence of the Relay button to the page. I don't think we ever designed a way to add the button to the page in a way that's invisible to the page. Not sure that's even possible?

You can use the devtools highlighter anon frame stuff. But you'd need an ExtensionAPI thing or switch to a component. There were similar bugs in screenshots, and I've CC'd you - bug 1389707 and bug 1414937, but they ended up plumping for a component integration. I've heard that's on the cards for Relay but have no details. I don't know if, once you have a look at that stuff, you would want to fix this before switching to a builtin integration or after. Switching doesn't magically fix this problem, so to some degree the effort is orthogonal, but the extension would need an ExtensionAPI / privileged api wrapper around the anon frame stuff.

I think for an one-off case like this you might be able to use a Blob for the image and URL.createObjectURL.

(In reply to Tom Schuster (MoCo) from comment #4)

I think for an one-off case like this you might be able to use a Blob for the image and URL.createObjectURL.

That would help with the unique ID but not with revealing the presence of relay.

let's do 1 thing at a time. :maxx - what do you think about

const makeNewAliasImage = "data:image/svg+xml;base64,...";
relayIconBtn.style.backgroundImage = `url(${makeNewAliasImagePath})`;
See Also: → 1713196

Hey all! I have a PR addressing this. This sets the background image as a data:image in the CSS directly.

https://github.com/mozilla/fx-private-relay-add-on/pull/499

Flags: needinfo?(mcrawford)

PR has been approved / merged. We can mark this as closed once the next version of the add-on ships.

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)
Severity: -- → S3
Flags: needinfo?(sgalich)

(In reply to Maxx Crawford [:mcrawford :maxx :maxxcrawford] from comment #8)

PR has been approved / merged. We can mark this as closed once the next version of the add-on ships.

My understanding is you've fixed the unique identifier bit, but not the "this is a relay user" part. Can we make sure we file a follow-up for that part?

Flags: needinfo?(mcrawford)

(In reply to :Gijs (he/him) from comment #10)

(In reply to Maxx Crawford [:mcrawford :maxx :maxxcrawford] from comment #8)

PR has been approved / merged. We can mark this as closed once the next version of the add-on ships.

My understanding is you've fixed the unique identifier bit, but not the "this is a relay user" part. Can we make sure we file a follow-up for that part?

Note that this morning, the new version of the add-on was released!

Do you want me to open a new bug or should we use this one?

Flags: needinfo?(mcrawford) → needinfo?(gijskruitbosch+bugs)

(In reply to Maxx Crawford [:mcrawford :maxx :maxxcrawford] from comment #11)

Do you want me to open a new bug or should we use this one?

A new one probably makes sense at this point - Luke was right in comment #6 that one thing per bug makes it easier to track. :-)

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(mcrawford)

Copy that. Calling this fixed for this context then.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(mcrawford)
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.