Bug Bounty Report: GPU Characteristic Leak in Firefox
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
People
(Reporter: salahlouffidi, Unassigned, NeedInfo)
References
()
Details
(Keywords: privacy, reporter-external, Whiteboard: [client-bounty-form][fingerprinting])
Attachments
(1 file)
33.35 KB,
image/png
|
Details |
Summary:
A vulnerability has been identified in Firefox that allows a malicious website to retrieve detailed GPU information using WebGL, which may expose the user's hardware characteristics. This information can be used for fingerprinting and tracking purposes. The issue is similar to previously reported vulnerabilities in other browsers but presents unique risks in the context of Firefox's privacy-focused user base.
Vulnerability Details:
Browser Affected: Mozilla Firefox
Vulnerability Type: Information Disclosure (GPU Characteristic Leak)
Impact: Medium
Components Involved: WebGL, WEBGL_debug_renderer_info extension
Description:
The vulnerability allows any website with access to WebGL to extract detailed GPU information from the user's system. The provided Proof of Concept (PoC) demonstrates that the GPU vendor, model, and the rendering engine are disclosed. This data includes specific identifiers such as the GPU model and driver version, which can be used to create a unique fingerprint of the user's device.
Proof of Concept (PoC):
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>GPU Information</title>
</head>
<body>
<h1>GPU Information</h1>
<button id="gpuButton">Show GPU Information</button>
<div id="gpuInfo" style="margin-top: 20px;"></div>
<script>
// Function to show GPU information
function showGPUInformation() {
const canvas = document.createElement('canvas');
const gl = canvas.getContext('webgl') || canvas.getContext('experimental-webgl');
if (gl) {
const debugInfo = gl.getExtension('WEBGL_debug_renderer_info');
if (debugInfo) {
const vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
const gpuInfo = `
<p>GPU Vendor: ${vendor}</p>
<p>GPU Renderer: ${renderer}</p>
`;
document.getElementById("gpuInfo").innerHTML = gpuInfo;
} else {
document.getElementById("gpuInfo").innerHTML = "<p>WebGL Debug Renderer Info not available.</p>";
}
} else {
document.getElementById("gpuInfo").innerHTML = "<p>WebGL not supported in this browser.</p>";
}
}
// Attach the click event to the button
document.getElementById("gpuButton").addEventListener("click", showGPUInformation);
</script>
</body>
</html>
the output
output.png
The detailed GPU information can be exploited to create a persistent fingerprint of the user's device, even if other privacy measures are in place (e.g., clearing cookies or using VPNs). This persistent fingerprint can undermine the user's anonymity, making them susceptible to tracking across different sessions and websites.
Steps to Reproduce:
Open the provided PoC HTML file in Firefox.
Click the "Show GPU Information" button.
Observe the GPU vendor and renderer details displayed on the webpage.
Recommended Fix:
To mitigate this issue, it is recommended to restrict access to detailed GPU information through the WebGL API by either:
Disabling the WEBGL_debug_renderer_info extension by default.
Masking or generalizing the output provided by this extension to reduce the specificity of the information exposed.
References:
Similar vulnerabilities in Chromium-based browsers have been addressed by limiting the granularity of GPU information accessible through WebGL.
Comment 2•1 month ago
|
||
We must have this on file somewhere as an issue, given we disable it when you enable privacy.resistfingerprinting and https://browserleaks.com/webgl has been around forever. But I can't find a bug that aims to do anything about this in normal browsing mode.
Given browserleaks we don't need to keep this hidden
Updated•1 month ago
|
Comment 4•1 month ago
|
||
see Bug 1715690
Updated•1 month ago
|
Updated•1 month ago
|
Reporter | ||
Comment 6•28 days ago
|
||
this is confirmed ?
Comment 7•19 days ago
|
||
No, this is not confirmed.
Updated•12 days ago
|
Description
•