Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 655367 - fingerprinting installed apps through a timing attack using moz-icon: and WebGL
: fingerprinting installed apps through a timing attack using moz-icon: and WebGL
: privacy
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: x86 All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: David Keeler [:keeler] (use needinfo?)
Depends on: CVE-2011-2366
  Show dependency treegraph
Reported: 2011-05-06 14:14 PDT by Daniel Veditz [:dveditz]
Modified: 2012-03-07 13:22 PST (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

PoC (zipped) (9.52 KB, application/java-archive)
2011-05-06 14:14 PDT, Daniel Veditz [:dveditz]
no flags Details

Description Daniel Veditz [:dveditz] 2011-05-06 14:14:48 PDT
Created attachment 530737 [details]
PoC (zipped)

Michael Jordon of Contextis reports that users can be fingerprinted through their installed applications using a timing attack based on moz-icon: and WebGL.

Warning: this testcase may result in a crash on Windows (bug 655364)
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2011-05-06 14:28:59 PDT
Will look ASAP... but it's Friday 5:30 pm here.
Comment 2 Daniel Veditz [:dveditz] 2011-05-10 13:44:43 PDT
I assume if we fix the generic cross-origin issue in bug 655987 then access to moz-icon: images should be blocked as a matter of course.
Comment 3 Josh Aas 2012-03-07 13:22:09 PST
Now that bug 655987 is fixed this doesn't work any more (I checked with bjacob and tested locally). PoC is already public other places.

Note You need to log in before you can comment on or make changes to this bug.