[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #30392 [Applications/Tor Browser]: CSS features allow real-time tracking
#30392: CSS features allow real-time tracking
------------------------------+------------------------------------------
Reporter: davywtf | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Component: Applications/Tor Browser
Version: Tor: unspecified | Severity: Normal
Keywords: css | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+------------------------------------------
CSS features like :hover, :focus, and [value] queries in combination with
background image changes allow for the collection of nearly every action a
visitor makes on a web page in real-time without JavaScript. Aside from
the obvious creep factor this could be used to fingerprint visitors. The
attack can be implemented in third party CSS (CSS-XSS).
Proof of Concept: https://twitter.com/davywtf/status/1124146339259002881
Code for proof:
https://gist.github.com/wybiral/c8f46fdf1fc558d631b55de3a0267771
Beyond simply fingerprinting based on browsing behavior an attacker could
also determine the referring page based on the mouse position at page
load.
Solutions to fix the problem would break some aesthetic functionality
(i.e. no more :hover image changes) but at that cost it would be trivial
to prevent.
Ideally we could eliminate all types of asset requests (e.g. image
changes) in all types of pseudo-class selectors or prefetch all asset
requests on page load. But that proposal sounds bigger than Tor Browser.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30392>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs