[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] bug



On 9/12/2016 9:41 AM, xuzixatem@xxxxxxxxxxxxx wrote:
https://www.browserleaks.com/firefox

it can be used for both fingerprinting (different users use different OS setups or different Tor versions) and exploiting software vulnerabilities because when attacker don’t know your OS or browser version they don’t know what payload can do the thing that if be used incorrectly will show a download warning that compromises their valuable malware to citizenlab like groups.
Using TBB, I looked at the link - browserleak.com/firefox - with JS disabled. The code that supposedly detects values in firefox.js giving away the OS.

10. var el = document.createElement("script");
11.      el.type = "text/javascript";
12.      el.onload = load;
13.      el.onerror = err;
14. document.head.appendChild(el);
15.      el.src = "resource:///defaults/preferences/firefox.js";
16. }
17.

18. var pref,
19.      sticky_pref,
20.      os;
21.

22. pref = sticky_pref = function(key, val) {
23. if (!os)
24. if (key == "browser.gesture.pinch.out" && val == "cmd_fullZoomEnlarge")
25.              os = "Windows";
26. else if (key == "browser.backspace_action" && val == "2")
27.              os = "Linux";
28. else if (key == "browser.gesture.pinch.threshold" && val == "150")
29.              os = "Mac";
30. var include = function(load, err) {
31. }
32.

33. include(function() {
34. console.log( "OS: " + (os ? os : "unknown") );
35. },function() {
36. console.log( "OS: n/a (not a Firefox)" );
37. });
38. </script>


The prefs & values the code is querying appears in about:config, as would many firefox.js settings.

Question for devs / Firefox experts: many prefs are reported to sites so they can display content, but are they allowed to access every setting in about:config - default or user set?
This can't be correct.  That would make users very unique.

Is this bug somehow supposed to allow only querying firefox.js values & no other files? Why is that? If allowed access to firefox.js, why not all firefox files?








--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk