Open Bug 1916271 Opened 2 months ago Updated 1 month ago

Bug Bounty Report: GPU Characteristic Leak in Firefox

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: salahlouffidi, Unassigned, NeedInfo)

References

(
URL
)

Details

(Keywords: privacy, reporter-external, Whiteboard: [client-bounty-form][fingerprinting])

Attachments

(1 file)

output.png
33.35 KB, image/png
Details
Attached image output.png

Summary:
A vulnerability has been identified in Firefox that allows a malicious website to retrieve detailed GPU information using WebGL, which may expose the user's hardware characteristics. This information can be used for fingerprinting and tracking purposes. The issue is similar to previously reported vulnerabilities in other browsers but presents unique risks in the context of Firefox's privacy-focused user base.

Vulnerability Details:
Browser Affected: Mozilla Firefox
Vulnerability Type: Information Disclosure (GPU Characteristic Leak)
Impact: Medium
Components Involved: WebGL, WEBGL_debug_renderer_info extension
Description:
The vulnerability allows any website with access to WebGL to extract detailed GPU information from the user's system. The provided Proof of Concept (PoC) demonstrates that the GPU vendor, model, and the rendering engine are disclosed. This data includes specific identifiers such as the GPU model and driver version, which can be used to create a unique fingerprint of the user's device.

Proof of Concept (PoC):

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>GPU Information</title>
</head>
<body>
    <h1>GPU Information</h1>

    <button id="gpuButton">Show GPU Information</button>

    <div id="gpuInfo" style="margin-top: 20px;"></div>

    <script>
        // Function to show GPU information
        function showGPUInformation() {
            const canvas = document.createElement('canvas');
            const gl = canvas.getContext('webgl') || canvas.getContext('experimental-webgl');

            if (gl) {
                const debugInfo = gl.getExtension('WEBGL_debug_renderer_info');
                if (debugInfo) {
                    const vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
                    const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);

                    const gpuInfo = `
                        <p>GPU Vendor: ${vendor}</p>
                        <p>GPU Renderer: ${renderer}</p>
                    `;

                    document.getElementById("gpuInfo").innerHTML = gpuInfo;
                } else {
                    document.getElementById("gpuInfo").innerHTML = "<p>WebGL Debug Renderer Info not available.</p>";
                }
            } else {
                document.getElementById("gpuInfo").innerHTML = "<p>WebGL not supported in this browser.</p>";
            }
        }

        // Attach the click event to the button
        document.getElementById("gpuButton").addEventListener("click", showGPUInformation);
    </script>
</body>
</html>

the output

output.png

The detailed GPU information can be exploited to create a persistent fingerprint of the user's device, even if other privacy measures are in place (e.g., clearing cookies or using VPNs). This persistent fingerprint can undermine the user's anonymity, making them susceptible to tracking across different sessions and websites.

Steps to Reproduce:
Open the provided PoC HTML file in Firefox.
Click the "Show GPU Information" button.
Observe the GPU vendor and renderer details displayed on the webpage.
Recommended Fix:
To mitigate this issue, it is recommended to restrict access to detailed GPU information through the WebGL API by either:

Disabling the WEBGL_debug_renderer_info extension by default.
Masking or generalizing the output provided by this extension to reduce the specificity of the information exposed.
References:
Similar vulnerabilities in Chromium-based browsers have been addressed by limiting the granularity of GPU information accessible through WebGL.

Flags: sec-bounty?
Duplicate of this bug: 1916272

We must have this on file somewhere as an issue, given we disable it when you enable privacy.resistfingerprinting and https://browserleaks.com/webgl has been around forever. But I can't find a bug that aims to do anything about this in normal browsing mode.

Given browserleaks we don't need to keep this hidden

Group: firefox-core-security
Component: Security → Graphics: CanvasWebGL
Product: Firefox → Core

The privacy.resistfingerprinting change was bug 1337157

URL: https://browserleaks.com/webgl
See Also: → 1337157
Keywords: privacy
Whiteboard: [client-bounty-form] → [client-bounty-form][fingerprinting]
Flags: sec-bounty? → sec-bounty-
See Also: → 1715690

Kelsey, can you comment to this bug?

Flags: needinfo?(jgilbert)
Blocks: gfx-triage

this is confirmed ?

No, this is not confirmed.

No longer blocks: gfx-triage
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: