The default bug view has changed. See this FAQ.

fingerprinting installed apps through a timing attack using moz-icon: and WebGL

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
6 years ago
5 months ago

People

(Reporter: dveditz, Unassigned)

Tracking

({privacy, sec-low})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fingerprinting])

Attachments

(1 attachment)

9.52 KB, application/java-archive
Details
(Reporter)

Description

6 years ago
Created attachment 530737 [details]
PoC (zipped)

Michael Jordon of Contextis reports that users can be fingerprinted through their installed applications using a timing attack based on moz-icon: and WebGL.

Warning: this testcase may result in a crash on Windows (bug 655364)
Will look ASAP... but it's Friday 5:30 pm here.
(Reporter)

Comment 2

6 years ago
I assume if we fix the generic cross-origin issue in bug 655987 then access to moz-icon: images should be blocked as a matter of course.
Depends on: 655987

Comment 3

5 years ago
Now that bug 655987 is fixed this doesn't work any more (I checked with bjacob and tested locally). PoC is already public other places.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 months ago
Keywords: sec-low
Whiteboard: [sg:low] → [fingerprinting]
You need to log in before you can comment on or make changes to this bug.