Open Bug 1885471 Opened 4 months ago Updated 13 days ago

Canvas Fingerprinting Protections do not apply to Service Workers

Categories

(Core :: DOM: Service Workers, defect, P3)

Product:
Core
Component:
DOM: Service Workers
Version:
Firefox 123
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: Joe, Unassigned)

References

Details

(Whiteboard: [fpp:m?])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Steps to reproduce:

  1. Enter a Private Window or set Enhanced Tracking Protection to Strict.
  2. Visit https://abrahamjuliot.github.io/fpworker/
  3. Compare hashes of canvas values.

Actual results:

Service Worker hash values are the same as they are as when not in a Private Window or with Enhanced Tracking Protection set to Standard, allowing tracking via these values.

Expected results:

Canvas hash values should be consistent.

Also affects SharedWorkerGlobalScope as it seems.

Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Service Workers
Product: Firefox → Core
Flags: needinfo?(tom)

Thanks Joe, I have a few similar issues to dig into. While this is a bypass of the privacy protection, I don't think it needs to be hidden.

Group: dom-core-security
Flags: needinfo?(tom)
See Also: → 1878716
Whiteboard: [fpp:m?]

(In reply to Tom Ritter [:tjr] from comment #2)

Thanks Joe, I have a few similar issues to dig into. While this is a bypass of the privacy protection, I don't think it needs to be hidden.

I thought so too, but better safe than sorry.

This issue, oddly, also affects Safari in the exact same way. I have a PoC that checks Safari's SharedWorker but it doesn't seem to catch the bug in Firefox for some reason. It does, however, catch the bug in the script in my original post.

https://github.com/Joe12387/safari-canvas-fingerprinting-exploit

Note that the policy decisions are made when RemoteWorkerData is populated here for ServiceWorkers and here for SharedWorkers (which should be propagating the value sampled by the SharedWorker binding here) and then applied to the worker when spawned here. This diagram of the uses of WorkerPrivate::GetLoadInfo may also be useful.

This is probably a situation where a pernosco trace is probably a good starting point.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3

I can reproduce it in Nightly, and then I tested with a local build that included the patches from Bug 1878716 and this is resolved in it, so I'm going to dupe it to that issue.

If it doesn't get fixed when that lands please re-open or notify me.

Status: NEW → RESOLVED
Closed: 3 months ago
Duplicate of bug: 1878716
Resolution: --- → DUPLICATE
See Also: 1878716

Hello.

The Service Worker context still leaks in regular browsing when Strict protections are enabled as of 127.0.1: https://abrahamjuliot.github.io/fpworker/

Thanks.

Status: RESOLVED → REOPENED
No longer duplicate of bug: 1878716
Resolution: DUPLICATE → ---
You need to log in before you can comment on or make changes to this bug.