Gecko reveals more GPU Hardware Information than Webkit/chromium
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
People
(Reporter: fazim.pentester, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form][fingerprinting])
Attachments
(2 files)
poc.png
Using the proof of concept below, the Firefox browser may unintentionally leak a user's GPU information when visiting a site.
Steps to reproduce:
- Download
gpu-leak.html. - Visit the
gpu-leak.htmlpage on the latest Firefox browser. - Observe that the user's GPU information is displayed on the visited site.
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Comment 2•1 year ago
|
||
Looks like these are canvas WebGL parameters. Tom, maybe this is a known issue?
|
||
Comment 3•1 year ago
|
||
We mask the renderer string, the details provided do not actually correspond directly to the user's hardware they are merely indicative. Therefore this bug is INVALID. However I am curious about Chrome's behavior and not reporting any information at all...
|
|
||
Comment 4•1 year ago
|
||
Specifically the code is here: https://searchfox.org/mozilla-central/source/dom/canvas/SanitizeRenderer.cpp#27
|
||
Comment 5•1 year ago
•
|
||
We sanitize while they hardcode it completely GL_RENDERER and GL_VENDOR from blink
|
||
Updated•11 months ago
|
|
||
Updated•11 months ago
|
|
|
||
Comment 7•11 months ago
•
|
||
I also want to note that we also spoof unmasked values too. For example running the following code
const canvas = document.createElement("canvas");
const gl = canvas.getContext("webgl");
const debugInfo = gl.getExtension("WEBGL_debug_renderer_info");
const vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
console.log(vendor);
console.log(renderer);
Produces the following on Firefox
> Apple
> Apple M1, or similar
Produces the following on Chrome
> Google Inc. (Apple)
> ANGLE (Apple, ANGLE Metal Renderer: Apple M3 Pro, Unspecified Version)
Description
•