Closed Bug 1892638 Opened 1 year ago Closed 1 year ago

Vulnerability - a website could detect opening the browser devtools with 100% accuracy due to a bug in previewers.js

Categories

(DevTools :: Console, defect, P3)

Product:
DevTools
Component:
Console
Type:
defect

Tracking

(firefox-esr128 wontfix, firefox133 fixed)

Status:
RESOLVED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- wontfix
firefox133 --- fixed

People

(Reporter: matan.honig2, Assigned: ochameau)

References

(Depends on 1 open bug)

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main133-])

Attachments

(6 files)

POC.html
530 bytes, text/html
Details
POC-crasher.html
1.60 KB, text/html
Details
Bug 1892638 - [devtools] Rename WebConsoleActor.parentActor attribute to targetActor.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1892638 - [devtools] Rename StyleSheetsActor.parentActor attribute to targetActor.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1892638 - [devtools] Expose a `targetGlobal` attribute on all target actors.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1892638 - [devtools] Avoid triggering any page JS when previewing RegExp and Date.
48 bytes, text/x-phabricator-request
Details | Review
Attached file POC.html

Firefox: 124.0.2 FedoraKDE38
A website could use a simple technique (simple console.log) to detect if the user has the DevTools open.
The file source/devtools/server/actors/object/previewers.js (lines 174-198) has this code:

 RegExp: [...
      const str = DevToolsUtils.callPropertyOnObject(obj, "toString");
...
  ],

  Date: [...
      const time = DevToolsUtils.callPropertyOnObject(obj, "getTime");
...  ],

That uses DevToolsUtils.callPropertyOnObject that calls the function toString when displaying RegExp, and the function getTime when displaying a Date. Both called on the original object from the debugger scope, and both only called when user open the developer console. So to exploit this, a website just needs to do this (both options in the POC):

const d = new Date()
d.getTime = ()=>{console.log("devtools detected");}
console.log(d)

That information can be used to track users, and block users that open it, or worse, creating a different site for users with developer tools (e.g. infinity console.log %c{wikipedia} with huge CSS to crash the computer), and users without (e.g. with all tracking, ads and possibly any virus/miner you want)

Flags: sec-bounty?
Attached file POC-crasher.html

This is another POC that's acting as a wall between another website and the user. It uses the same option as the previous POC, but this time, if DevTools detected, it will create huge amount of output in the console, and possibly even disable it (or crash the DevTools itself). This POC focus more on the possible effects of this vulnerability

Component: Security → General
Product: Firefox → DevTools
Component: General → Console
Flags: needinfo?(dveditz)
Status: UNCONFIRMED → NEW
Ever confirmed: true

This is annoying and could let a malicious page try to avoid observation, but it's not itself an attack on users (a vulnerability) so we can un-hide this

Group: firefox-core-security
Flags: needinfo?(dveditz)
Keywords: csectype-dos, privacy, sec-other

Jan: why do we call the functions defined by the web page here? Could this be made optional and off by default?

custom toString() makes some sense to me, but why getTime()?

Flags: needinfo?(odvarko)

Ah, it would be great to address this issue, as developers have frequently requested improvements to the detection of devtools.

Alex, this was added as part of work on WebReplay patch by Brian. How important is that at this point?

Honza

Flags: needinfo?(odvarko) → needinfo?(poirot.alex)

(In reply to Jan Honza Odvarko [:Honza] (always need-info? me) from comment #4)

Alex, this was added as part of work on WebReplay patch by Brian. How important is that at this point?

That patch didn't really change the way for queries the date time.
We were already calling getTime before that patch:
https://searchfox.org/mozilla-central/rev/f9580519b8330941c127f56757f7ec6401a96568/devtools/server/actors/object/utils.js#297

But this is a know issue, we have a couple of duplicates.
See bug 1789258 comment 4 for a mitigation. The preview of objects are weak and should avoid at all cost triggering any JS code.
This is wrong as it allows to detect devtools, but also wrong for the debugger as it can trigger code and breakpoints in unexpected ways...

Now, I wish we could rather work on bug 1876084, which would get rid of all that problematic code, in favor of a more performant C++ code,
which would take care of avoiding triggering any JS code.

Flags: needinfo?(poirot.alex)
See Also: → 1789258
Severity: -- → S3
Depends on: 1876084
Priority: -- → P3

It's unfortunate that there are a lot of ways to detect dev tools being open, and while we'd like to fix and reduce them it's a known general problem that we are not going to award a bounty for.

Flags: sec-bounty? → sec-bounty-

Understandable. While it could be seen as an attack on user freedom, which Mozilla values and aims to protect (ensuring users can safeguard themselves and trust their browser), it is not a classic attack on Firefox itself.

Assignee: nobody → poirot.alex
Status: NEW → ASSIGNED

This helps various actors retrieve the global object:

  • a Window for any WindowGlobal targets,
  • a Sandbox for content process targets,
  • a Worker global scope for worker targets,
  • a Sandbox for the web extension content script targets (to be added soon).

Here is another handy example:
data:text/html,<script>let r = / /; r.toString = ()=> {alert("called")}; window.onclick = () => console.log(r);</script>

For RegExp and Date, we can actually query the native methods, the last patch of this queue is doing that.
The previous changesets are cleanups.

https://treeherder.mozilla.org/jobs?repo=try&revision=d238b1c7658c07dc4e2962174f93d7d94c66594e

Pushed by apoirot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f1e9d13170a [devtools] Rename WebConsoleActor.parentActor attribute to targetActor. r=devtools-reviewers,nchevobbe https://hg.mozilla.org/integration/autoland/rev/af8a2c66b412 [devtools] Rename StyleSheetsActor.parentActor attribute to targetActor. r=devtools-reviewers,nchevobbe https://hg.mozilla.org/integration/autoland/rev/646f8b499e3d [devtools] Expose a `targetGlobal` attribute on all target actors. r=devtools-reviewers,nchevobbe https://hg.mozilla.org/integration/autoland/rev/8f0b3000a74c [devtools] Avoid triggering any page JS when previewing RegExp and Date. r=devtools-reviewers,nchevobbe

I can confirm that for example streamruby is no longer detecting the Dev Tools in the latest Nightly 20241003213146.

For reference, I came across another site that detects Dev Tools.
This one affects the Console tab.
Example:
https://stmruby.com/2ssioxncsm0s.html

Script:
https://streamruby.com/js/devtools-detector.js

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main133-]

(In reply to Daniel Veditz [:dveditz] from comment #6)

It's unfortunate that there are a lot of ways to detect dev tools being open, and while we'd like to fix and reduce them it's a known general problem that we are not going to award a bounty for.

I have one PoC I'm 99.99% sure you can't fix without some major re-engineering (but IANAE) - and it's worked flawlessly for the last 5+ years without changes - do you want me to disclose it - do you want it in a confidential bug (so malicious websites don't learn of it)? Please advise

Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: