kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with UTC timezone spoofing on Linux
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: ke5trel, Assigned: pierov)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Continuation of Bug 1805101.
STR:
- Enable RFP or FPP on latest Nightly 115.0a1 (2023-05-30) on Windows 11.
- Visit nike.com and login.
Fails with message:
We are unable to connect to our servers right now. Please try again later.
GENERIC "0 - POST request to https://unite.nike.com/login blocked"
Also doesn't work on Linux but likely requires an override for platform spoofing.
Comment 1•1 year ago
|
||
What we fixed in Bug 1805101 is to make it possible to successfully opt-out of fingerprinting protection for this specific site so that it starts working again. (At least I hope this works, I haven't tested it again)
I am not sure why exactly this site breaks with fingerprinting protection, it might be related to canvas. From what I remember this site was doing a lot of other fingerprinting.
Updated•1 year ago
|
This is due to UTC timezone spoofing, enabling all RFPTargets except for JSDateTimeUTC
allows login to work for both nike.com and twitch.tv on Linux:
privacy.fingerprintingProtection = true
privacy.fingerprintingProtection.overrides = +TouchEvents,+PointerEvents,+KeyboardEvents,+SpeechSynthesis,+ScreenOrientation,+IgnoreTargetAndReturnCachedValue,+IsAlwaysEnabledForPrecompute,+CSSPrefersColorScheme,+CSSPrefersReducedMotion,+CSSPrefersContrast,+CanvasRandomization,+CanvasImageExtractionPrompt,+CanvasExtractionFromThirdPartiesIsBlocked,+NavigatorAppName,+NavigatorAppVersion,+NavigatorBuildID,+NavigatorHWConcurrency,+NavigatorOscpu,+NavigatorPlatform,+NavigatorUserAgent,+StreamTrackLabel,+StreamVideoFacingMode,-JSDateTimeUTC,+JSMathFdlibm
Similarly, disabling all RFPTargets except JSDateTimeUTC
causes login to fail. The only oddity is that twitch.tv login works with timezone spoofing on Windows but not Linux.
FPP is no longer affected since it does not spoof timezone since Bug 1834744.
Comment 3•1 year ago
|
||
That's just weird, because the TZ spoof is not breaking any standards - I mean we have to use a TZ and the one we use is valid and is used everywhere applicable, i.e no information paradoxes. The only "paradox" is your geo IP, but users could be using a VPN, or be be traveling, and why pick on Linux and not Windows. Very strange (not refuting the tests), but this is consistent with reports elsewhere that to login on twitch required disabling RFP (and clearing all cookies?), then logging in, then you could flip RFP back on (and don't sanitize twitch on close).
Comment 4•1 year ago
|
||
The issue is with UTC itself, running with the environment variable TZ=UTC
and no fingerprint protections also fails to login while it works with different VPN geolocations that do not match the timezone, as long as it is not UTC.
Linux is affected but not Windows. Spoofing as Windows does not permit login, the Navigator UA (and sometimes Header) needs to be accurate (Bug 1840385).
Comment 6•8 months ago
|
||
Our patch for the Tor Browser:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/cc050dd945bd6251cb6dadcd7d7123a9c2fb22fb
Assignee | ||
Updated•4 months ago
|
Assignee | ||
Comment 7•4 months ago
|
||
Atlantic/Reykjavik stays on UTC during all the year, but it is less
likely to be blocked than plan UTC.
Comment 9•4 months ago
|
||
Backed out for causing Spider-monkey failures
Backout link: https://hg.mozilla.org/integration/autoland/rev/eba853d42fc367277ce466fcfa5c7db29df077fe
Assignee | ||
Comment 10•4 months ago
|
||
Updated the test and ran a try auto
(https://treeherder.mozilla.org/jobs?revision=4ff18829da8d29c5991c23e90df2668dcb78a518&repo=try), which seems successful.
Comment 11•4 months ago
|
||
Comment 12•4 months ago
|
||
You need to define the locale (from resolved options) and timezone in tests and compare to undefined locale + timezone - none of this "ends with", this is no longer UTC and is now localized
Comment 13•4 months ago
|
||
bugherder |
Updated•4 months ago
|
Description
•