Open Bug 1835987 Opened 1 year ago Updated 3 months ago

kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with UTC timezone spoofing on Linux

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 115
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox115 --- affected

People

(Reporter: ke5trel, Unassigned)

References

(Blocks 1 open bug)

Details

Continuation of Bug 1805101.

STR:

  1. Enable RFP or FPP on latest Nightly 115.0a1 (2023-05-30) on Windows 11.
  2. Visit nike.com and login.

Fails with message:

We are unable to connect to our servers right now. Please try again later.

GENERIC "0 - POST request to https://unite.nike.com/login blocked"

Also doesn't work on Linux but likely requires an override for platform spoofing.

What we fixed in Bug 1805101 is to make it possible to successfully opt-out of fingerprinting protection for this specific site so that it starts working again. (At least I hope this works, I haven't tested it again)

I am not sure why exactly this site breaks with fingerprinting protection, it might be related to canvas. From what I remember this site was doing a lot of other fingerprinting.

Severity: -- → S3
Priority: -- → P3

This is due to UTC timezone spoofing, enabling all RFPTargets except for JSDateTimeUTC allows login to work for both nike.com and twitch.tv on Linux:

privacy.fingerprintingProtection = true
privacy.fingerprintingProtection.overrides = +TouchEvents,+PointerEvents,+KeyboardEvents,+SpeechSynthesis,+ScreenOrientation,+IgnoreTargetAndReturnCachedValue,+IsAlwaysEnabledForPrecompute,+CSSPrefersColorScheme,+CSSPrefersReducedMotion,+CSSPrefersContrast,+CanvasRandomization,+CanvasImageExtractionPrompt,+CanvasExtractionFromThirdPartiesIsBlocked,+NavigatorAppName,+NavigatorAppVersion,+NavigatorBuildID,+NavigatorHWConcurrency,+NavigatorOscpu,+NavigatorPlatform,+NavigatorUserAgent,+StreamTrackLabel,+StreamVideoFacingMode,-JSDateTimeUTC,+JSMathFdlibm

Similarly, disabling all RFPTargets except JSDateTimeUTC causes login to fail. The only oddity is that twitch.tv login works with timezone spoofing on Windows but not Linux.

FPP is no longer affected since it does not spoof timezone since Bug 1834744.

Depends on: 1834744
Summary: Still unable to login to nike.com on Windows with privacy.resistFingerprinting (kasada.io anti-bot protection) → kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with UTC timezone spoofing (moreso on Linux)

That's just weird, because the TZ spoof is not breaking any standards - I mean we have to use a TZ and the one we use is valid and is used everywhere applicable, i.e no information paradoxes. The only "paradox" is your geo IP, but users could be using a VPN, or be be traveling, and why pick on Linux and not Windows. Very strange (not refuting the tests), but this is consistent with reports elsewhere that to login on twitch required disabling RFP (and clearing all cookies?), then logging in, then you could flip RFP back on (and don't sanitize twitch on close).

The issue is with UTC itself, running with the environment variable TZ=UTC and no fingerprint protections also fails to login while it works with different VPN geolocations that do not match the timezone, as long as it is not UTC.

Linux is affected but not Windows. Spoofing as Windows does not permit login, the Navigator UA (and sometimes Header) needs to be accurate (Bug 1840385).

OS: Unspecified → Linux
Summary: kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with UTC timezone spoofing (moreso on Linux) → kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with UTC timezone spoofing on Linux
You need to log in before you can comment on or make changes to this bug.