Last Comment Bug 655367 - fingerprinting installed apps through a timing attack using moz-icon: and WebGL
: fingerprinting installed apps through a timing attack using moz-icon: and WebGL
Status: RESOLVED FIXED
[fingerprinting]
: privacy, sec-low
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: x86 All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on: CVE-2011-2366
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-06 14:14 PDT by Daniel Veditz [:dveditz]
Modified: 2016-10-26 13:41 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
PoC (zipped) (9.52 KB, application/java-archive)
2011-05-06 14:14 PDT, Daniel Veditz [:dveditz]
no flags Details

Description Daniel Veditz [:dveditz] 2011-05-06 14:14:48 PDT
Created attachment 530737 [details]
PoC (zipped)

Michael Jordon of Contextis reports that users can be fingerprinted through their installed applications using a timing attack based on moz-icon: and WebGL.

Warning: this testcase may result in a crash on Windows (bug 655364)
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2011-05-06 14:28:59 PDT
Will look ASAP... but it's Friday 5:30 pm here.
Comment 2 Daniel Veditz [:dveditz] 2011-05-10 13:44:43 PDT
I assume if we fix the generic cross-origin issue in bug 655987 then access to moz-icon: images should be blocked as a matter of course.
Comment 3 Josh Aas 2012-03-07 13:22:09 PST
Now that bug 655987 is fixed this doesn't work any more (I checked with bjacob and tested locally). PoC is already public other places.

Note You need to log in before you can comment on or make changes to this bug.