Last Comment Bug 655367 - fingerprinting installed apps through a timing attack using moz-icon: and WebGL
: fingerprinting installed apps through a timing attack using moz-icon: and WebGL
: privacy, sec-low
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: x86 All
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: David Keeler [:keeler] (use needinfo?)
Depends on: CVE-2011-2366
  Show dependency treegraph
Reported: 2011-05-06 14:14 PDT by Daniel Veditz [:dveditz]
Modified: 2016-10-26 13:41 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

PoC (zipped) (9.52 KB, application/java-archive)
2011-05-06 14:14 PDT, Daniel Veditz [:dveditz]
no flags Details

Description User image Daniel Veditz [:dveditz] 2011-05-06 14:14:48 PDT
Created attachment 530737 [details]
PoC (zipped)

Michael Jordon of Contextis reports that users can be fingerprinted through their installed applications using a timing attack based on moz-icon: and WebGL.

Warning: this testcase may result in a crash on Windows (bug 655364)
Comment 1 User image Benoit Jacob [:bjacob] (mostly away) 2011-05-06 14:28:59 PDT
Will look ASAP... but it's Friday 5:30 pm here.
Comment 2 User image Daniel Veditz [:dveditz] 2011-05-10 13:44:43 PDT
I assume if we fix the generic cross-origin issue in bug 655987 then access to moz-icon: images should be blocked as a matter of course.
Comment 3 User image Josh Aas 2012-03-07 13:22:09 PST
Now that bug 655987 is fixed this doesn't work any more (I checked with bjacob and tested locally). PoC is already public other places.

Note You need to log in before you can comment on or make changes to this bug.