[HN Gopher] Vulnerability allows cross-browser tracking in Chrom...
___________________________________________________________________
Vulnerability allows cross-browser tracking in Chrome, Firefox,
Safari, and Tor
Author : danpinto
Score : 180 points
Date : 2021-05-13 18:59 UTC (4 hours ago)
(HTM) web link (fingerprintjs.com)
(TXT) w3m dump (fingerprintjs.com)
| Operyl wrote:
| It's not detecting many of the supported applications on my Mac
| in Safari.
| kdarutkin wrote:
| The exploit was tested in Safari 14.0.3 and 14.1 on MacBook M1
| and MacBook Pro. What version do you have?
| dzhiurgis wrote:
| It did for me and compared with Chrome identified everything to
| same identifier.
| asddubs wrote:
| On my firefox (linux) it seems to think I have everything
| installed for some reason. Worked on tor browser though
| Ansil849 wrote:
| Visiting the demo website in Tor Browser (using the 'Safest'
| setting), the demo site displays this notice:
|
| > If you're seeing this message, that means JavaScript has been
| disabled on your browser, please enable JS to make this app work.
|
| Does this mean that the vulnerability does not work in Tor
| Browser in Safest mode? Or are there non-JS implementations of
| this vulnerability that would work in a browser with JS disabled?
| adontz wrote:
| Results differ wildly between browsers and even between runs
| within the same browser. It detects application I do not have
| installed and does not detect applications I do have installed.
| For instance it detects iTunes, XCode and Sketch, but they are
| Mac-only application and I am on Windows.
|
| Honestly, I believe it does not work at all.
| valve1 wrote:
| Thanks for testing it on Windows. We mostly tested it on MacOS
| Big Sur because all devs on the team have that OS. With Windows
| different timings might be needed, we'll check into it
| tomorrow.
| mcpherrinm wrote:
| On my Windows/Firefox computer, it appears to have correctly
| identified which 6 of the applications I have installed.
| Jap2-0 wrote:
| On Firefox on Windows (same results on Edge) it detected three
| programs I do have installed, and one I do not, and failed to
| detect one I do have installed. There was a moderately noticeable
| small window in the bottom right of the screen in both.
|
| That said, at least for tracking consistency is more important
| than accuracy.
| nimbius wrote:
| >By opening a popup window with a custom URL scheme and checking
| if its document is available from JavaScript code, you can detect
| if the application is installed on the device.
|
| in FF, unless im mistaken this assumes the user clicks anything
| except cancel on the popup. bug for reference and comment.
| https://bugzilla.mozilla.org/show_bug.cgi?id=1711084
|
| further from the github:
|
| > the basic concept is the same. It works by asking the browser
| to show a confirmation dialog in a popup window. Then the
| JavaScript code can detect if a popup has just been opened and
| detect the presence of an application based on that.
|
| so...we seem to be relying on the honor system with the user? Can
| anyone clarify?
| dathinab wrote:
| Basically browsers have the "I open a popup to ask" or "the
| user has no schema handler for that schema so I don't need to
| ask" or the "User already confirmed it always should open the
| link with given application" behaviour and they can detect it
| "somehow "?
|
| But I still have to look closer into it.
| valve1 wrote:
| Browsers open pop-ups to ask "Can I run that application?"
| but only if that application is installed. If that
| application is not installed, the browser will ignore the
| custom URL.
| kdarutkin wrote:
| Hi, nimbius.
|
| I'm the article author, can you please clarify your question?
|
| The demo will not work without a popup window in Chrome,
| Firefox and Safari. The "Get My Identifier" button is needed in
| order to have a single user gesture to open an additional
| window.
|
| However the Tor Browser demo works silently without any
| additional window.
| tacticalmook wrote:
| > It works by asking the browser to show a confirmation dialog
| in a popup window. Then the JavaScript code can detect if a
| popup has just been opened and detect the presence of an
| application based on that.
|
| > ...
|
| > Tor Browser has confirmation dialogs disabled entirely as a
| privacy feature, which, ironically, exposed a more damaging
| vulnerability for this particular exploit. Nothing is shown
| while the exploit runs in the background, contrasting with
| other browsers that show pop-ups during the process.
| chmod775 wrote:
| > in FF, unless im mistaken this assumes the user clicks
| anything except cancel on the popup. bug for reference and
| comment.
|
| I'm on Firefox and didn't have to click anything. It correctly
| detected I have Steam installed.
|
| The flashing popup window was quite obvious though.
| butz wrote:
| Test doesn't work when localStorage is disabled in browser.
| skykooler wrote:
| Interestingly, custom URL handlers seem to stick around even
| after the app associated with them has been uninstalled. For
| example, this detected Messenger's URL handler although I
| uninstalled it a year ago.
| rkagerer wrote:
| Not the least bit surprised. I use Total Uninstall and almost
| every app leaves bits behind.
|
| I've complained to many vendors and sent technical details of
| missed registry keys, files, etc. Sometimes they even fix it.
| But on the whole, Uninstall on Windows is a bit of a myth.
| difosfor wrote:
| How unique are these ids really? I imagine certain apps will be
| very commonly installed as well as certain groups of apps? So
| it's not 32bits of information. Still more information to add to
| the finger printing pile..
|
| I wish we could find a way to deal with this risk that's not
| simply disabling all kinds of functionality. Browser APIs seem to
| be suffering more and more by limitations to prevent finger
| printing.
| Sebb767 wrote:
| > How unique are these ids really? I imagine certain apps will
| be very commonly installed as well as certain groups of apps?
|
| Probably worse than you think. Zoom, Skype and Slack will be
| very common on work computers, while game launchers like steam
| and epic will work quite well on gaming pcs. You can
| differentiate further by checking the mixing of those groups
| and their relative music client (Spotify, ITunes...). Of course
| it won't be full 32 bits, but given the amount of quite common
| programs with url handler, it will probably deliver quite good
| results.
| taf2 wrote:
| Interesting but only works on desktop
| mwvr wrote:
| It somehow "detected" skype and discord as being installed on my
| OpenBSD machine with Firefox? Hahaha.
| seumars wrote:
| Fingerprinting and profiling in general just makes me not want to
| use the internet sometimes. I stopped using gmail at the very
| least. Maybe I should start using a VPN.
| wiiittttt wrote:
| I received different results in Firefox and Brave. Doesn't seem
| to be a reliable method for tracking.
| kdarutkin wrote:
| I'm the author.
|
| The accuracy can be low because of:
|
| - Custom browser settings or flags - The demo was designed for
| the default setup, but that doesn't mean your custom setup is not
| vulnerable.
|
| - Poorly performant hardware (including virtual machines) - Some
| timings are just hardcoded and were tested on the MacBook
| hardware.
|
| - Fullscreen mode - The demo will work faster and more accurate
| if the browser is not in a fullscreen mode
|
| - Slow internet connection
|
| - Gestures during the process
|
| Also, we haven't looked into Opera yet, but we may if you ask to
| do it.
|
| For the technical questions or bug reports consider using Github
| Issues
| adontz wrote:
| How come you happen to detect Xcode and Sketch on Windows?
| kdarutkin wrote:
| I also made a special branch for Chromium (Chrome, Brave, Edge,
| etc.) that works much slower, but should be more accurate.
|
| It still may not work for your browser with a custom
| configuration. Also, it is better not to make any gestures
| during the process.
|
| https://github.com/fingerprintjs/external-protocol-flooding/...
|
| https://609d9f4d79c4f6000700782c--boring-visvesvaraya-dbefd4...
| Otek wrote:
| Opera is now fully Chromium so it should be similar to others
| matsemann wrote:
| Interesting concept. Most fingerprinting I've seen so far has for
| instance used the GPU to detect small differences in rendering,
| but also based on browser. First cross-browser I've seen, barring
| the obvious stuff like IP or so.
|
| Hope this won't be a post where everyone that didn't get the same
| identifier have to proclaim it, though. We get it, it's not
| perfect. FWIW I got same in Edge & Fx and it claimed it was a
| unique combo (different ID in Chrome, though).
| [deleted]
| conradev wrote:
| Finding new a fingerprinting mechanism in JavaScript is like
| finding a new memory corruption bug in the web browser engine.
|
| They are always going to exist for architectural reasons, some
| are worse than others, and the really bad ones are likely kept
| nice and secret while they are actively exploited. In other
| words, I'm not surprised in the slightest, but I'm glad that this
| is out in the open now.
| wnevets wrote:
| It though I had Skype, Spotify and Slack installed. I only have
| Slack installed.
| valve1 wrote:
| Windows can sometimes say you have Skype, because it comes
| bundled even if you didn't install it yourself.
| wnevets wrote:
| I've explicitly uninstalled it on Windows 10, maybe Windows
| is still reporting it?
| tick_tock_tick wrote:
| Windows 10 does some garbage where it installs handlers for
| URL schemas that take you to the windows store install page
| for the app. The vulnerability is only testing if you have
| an handler installed for skype:// not what application is
| actually handling it.
| wnevets wrote:
| Windows 10 must be doing something weird. Skype url
| handlers aren't triggering the window stores or anything
| else from links.
|
| https://jsfiddle.net/ourcodeworld/aqq1w0qm/
| Forbo wrote:
| I appear to be getting false positives with a different
| identifier each time I run it. It says I have 3-4 different
| applications installed, none of which actually are on my system.
| Each subsequent run comes back with a different set of
| applications, and a different unique identifier. Looks like I may
| have beaten this method of fingerprinting, although I'm not quite
| sure how.
| tn1 wrote:
| I tried it on Opera and it detected no apps installed. (On Edge
| however, it detects all the ones I do indeed have installed).
|
| This is interesting since I didn't really expect Opera to care
| about this kind of thing.
| valve1 wrote:
| Thanks for testing this on Opera, we only tested on these
| browser/OS combinations:
| https://github.com/fingerprintjs/external-protocol-flooding#...
| bronzeage wrote:
| Looking at their product, I wonder how many of these kind of
| vulnerabilities are still open and exploited by them. Wouldn't
| make much sense for them to burn such a useful vulnerability
| which is required for their product unless they had something
| better.
| dathinab wrote:
| You can get a lot of entropy just by fingerprinting things send
| over HTTP headers and things freely accessible by JS.
|
| E.g. user agent, screen dimensions, language, web GL, audio
| api, etc.
|
| Generally wrt. fingerprinting chrome is worse then Firefox as
| Firefox actively worked to reduce fingerprint-ability if
| possible, while chrome seems to not care much. Because of this
| ironically I have a less unique fingerprint on a customized
| Firefox browser then a "stock" Chrome browser even through much
| less people use Firefox...
|
| The reason (I think) why they make this public is because this
| can be used for more then "just" fingerprinting. I.e. this can
| be used by cyber attacks to find a potential attack vector to
| then pull of either a direct attack or some social engineering
| attack.
| harikb wrote:
| > DISCLAIMER: FingerprintJS does not use this vulnerability in
| our products and does not provide third-party tracking services
| grishka wrote:
| Interesting to see how their product is open source, too:
| https://github.com/fingerprintjs/fingerprintjs/
|
| It's as if they _want_ browser developers to look at the code
| and break it as much as possible.
| jraph wrote:
| On Linux:
|
| - in Firefox, it detected Epic Games Telegram Discord Battle.net
| Xcode NordVPN Sketch Teamviewer Microsoft Word WhatsApp Postman
| Adobe Messenger Figma Hotspot Shield ExpressVPN Notion iTunes,
| none of which I have installed. It didn't detect VSCode though I
| have VSCodium.
|
| - On Chromium, it warned it would not work well on Chrome on
| Linux. It incorrectly detected all the apps. It seems that the
| browser would try to open the links with xdg-open.
|
| Clever hack anyway!
| valve1 wrote:
| Thanks for testing it on Linux. We only tested it on these
| browser + OS combinations:
| https://github.com/fingerprintjs/external-protocol-flooding#...
| DistressedDrone wrote:
| Using Firefox on Linux, it detected all the apps (very few of
| which I have) except Skype (correct, I don't have it).
|
| Security through obscurity does it again!
| bryan_w wrote:
| Seems like this submission is a bit undercooked. It probably
| should have been submitted once they had some real world samples
| or at least gated it to their specific use case
| nanis wrote:
| Curious:
|
| > We have generated your identifier based on 1 applications you
| have installed. Skype
|
| Then it told me I am ninety-something percent unique...
|
| I find that odd because pretty much every Windows machine has
| Skype.
| tinus_hn wrote:
| You also have none of the other tested applications; I presume
| most of them have Word.
| SavannahJS wrote:
| (I work at FingerprintJS)
|
| You are likely relatively unique because you only have Skype
| installed, whereas a lot of visitors will have more
| applications out of the list. Someone who has no applications
| on the list installed may be even more unique, for example.
| johnvaluk wrote:
| This appears to depend on user interactivity. How would you
| silently (and accurately) use this technique to fingerprint a
| system for cross-browser tracking?
| valve1 wrote:
| On Tor we show a fake captcha on the demo, which allows to
| collect multiple key presses and use each as a user-provided
| trigger.
| Ansil849 wrote:
| This is a really clever way to coerce interactivity!
| johnvaluk wrote:
| Does that bypass any alerts that would be presented to the
| user by the browser?
| shadowgovt wrote:
| It would be trickier, but it's not as hard as one might want to
| get a user to click in such a way that the protections in place
| against automated behaviors can be side-stepped.
|
| I'd bet good money that this trick would be useful for anyone
| running either a meme generator website or a file host, for
| example. It'd be pretty solid in the file host in particular,
| because you could hide some of the obvious weird behavior
| behind the "We're downloading your file" delay.
| kjrose wrote:
| As a note, this doesn't seem to work with Brave. It only got one
| of the applications my machine has installed, and I don't have a
| slow machine nor a slow internet where I am.
|
| I'm a bit surprised it got even one of them though. I will need
| to review my Brave privacy settings and see if anything can be
| done.
| pier25 wrote:
| I just tried it with the latest version of Brave and it found:
| Skype, Zoom, VSCode, Adobe, and iTunes.
|
| This only checks 24 apps, and it got all the ones I have
| installed out of those 24.
| jedberg wrote:
| Did it on Chrome, Firefox, and Safari and got the same code on
| all three. In all three it failed to detect some apps, but the
| same ones failed each time.
|
| When I did it in Safari it actually caused Apple Music to open.
| When I did it in Chrome it popped up a small square window where
| I could see it doing it's thing.
|
| Firefox was the only one where it was silent.
|
| But still, that's an interesting hack. Very clever.
| cdubzzz wrote:
| > When I did it in Chrome it popped up a small square window
| where I could see it doing it's thing.
|
| Interesting. In my case I saw the little pop up window in all
| three browsers. Otherwise same results though.
| gruez wrote:
| This seems wildly inaccurate for me. On firefox with
| resistfingerprinting it says I have 23 of the 24 applications
| installed (I don't, that's more incorrect than correct), and on
| tor browser it says 0 applications installed (also incorrect, I
| have a few installed).
| viseztrance wrote:
| Strange. I have resist fingerprinting as well (running on
| fedora), and it correctly detected all 5 apps I had installed
| from the list.
| burk96 wrote:
| Worked perfectly on Firefox 88.0.1 on Windows. Great to know
| despite my efforts to balance privacy and anonymity, there is
| another metric that I'm unique in. Fingerprinting is just
| insidious.
| sneak wrote:
| Browsing in a VM is really one of the only safe ways to go on
| the modern web for privacy. So many sites break without JS, and
| having it enabled is an accident waiting to happen.
|
| When you need privacy, always browse in a VM or a Tails boot.
| chithanh wrote:
| Even in a VM you have to carefully ensure that memory
| deduplication is disabled, and/or some form of mitigation
| against Rowhammer is in place. Else you will be vulnerable to
| Flip Feng Shui cross-VM attacks.
|
| https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events.
| ..
| Dah00n wrote:
| This won't work against fingerprinting unless you change the
| underlying hardware and / or external IP too when stating a
| new VM. If you don't have a unique external IP per VM you
| might as well not bother. It is like trying to hide from the
| police by changing clothes and cutting your hair but stil
| hold the same huge sign with your name and address in your
| hands.
| sneak wrote:
| The use of Tor or a public VPN (i.e. many hundreds of
| unrelated users sharing a single public IP) is implicit.
| hirsin wrote:
| My searching is failing, but I believe a similar scheme was
| uncovered in a popular app using a 'strings' equivalent. It would
| run through intents on iOS and Android to figure out what was
| installed. Interesting to see if on the web too!
| harikb wrote:
| > Profiling based on installed apps
|
| > most browsers have safety mechanisms in place designed to
| prevent such exploits. Weaknesses in these safety mechanisms are
| what makes this vulnerability possible.
|
| > By specification, extensions need to be able to open custom
| URLs, such as mailto: links, without confirmation dialogs. The
| scheme flood protection conflicts with extension policies so
| there is a loophole that resets this flag every time any
| extension is triggered
|
| If true, this sounds worse revelation than the exploit itself.
| Disabling a flag temporarily sounds bad, regardless of whether a
| vulnerability exists.
| 1vuio0pswjnm7 wrote:
| My browser does not support Javascript. :(
|
| Are there any plans to add support for clients that cannot run
| Javascript?
| antpls wrote:
| Could be alleviated by creating yet another permission at the
| browser level : "allow to link to local applications"
| kofejnik wrote:
| Confirmed - my ID matched in Chrome and Safari, but Firefox just
| said 24 of 24 and gave a different ID. Firefox wins again!
| rozab wrote:
| Does this actually work correctly for anyone? Got wrong results
| for Firefox and Chrome on Linux (it warns that Chrome probably
| won't work).
|
| I glanced through the source[0] and my about:config and I noticed
| I have the dom.block_external_protocol_in_iframes setting
| enabled. Looks like this could be the mechanism they use? I don't
| remember enabling it manually.
|
| Otherwise, it could be my tiling window manager messing with
| detection.
|
| [0]: https://github.com/fingerprintjs/external-protocol-
| flooding/...
| kurthr wrote:
| I find it interesting that it shows I have Skype installed...
| when I don't.
| shadowgovt wrote:
| Do you remember ever having Skype installed? Sibling comments
| suggest that some apps don't properly clean up their URL
| handlers when uninstalled.
| [deleted]
| Guest81 wrote:
| worked for me on firefox and tor.
| eulers_secret wrote:
| Worked for me on FF 88.0/Kubuntu 21.04. Detected the 2 apps I
| have installed correctly. I was also unique.
| jedberg wrote:
| It seems that it's not very effective in Linux.
| valve1 wrote:
| Yeah, we tested it on MacOS Big Sur mostly. Nobody on the
| team had linux so we didn't really test there. It can be made
| to work with better timings for the measurements etc.
| kdarutkin wrote:
| Any custom settings may affect the result. However default
| settings will work for the Firefox 88.0.1. Was tested on
| Windows, Safari and Linux.
|
| Chrome does not work on Ubuntu, since it opens everything with
| xdg-open and creates confirmation dialog for both installed and
| not-installed application
| jowsie wrote:
| I ran this in Chrome and then in Edge and got different
| identifiers.
| kdarutkin wrote:
| Chromium results may be flaky on slow internet or because of
| less performant hardware (such as Virtual Machines).
|
| I've updated the demo for Chromium and made it work slower, in
| order to increase accuracy.
| anon776 wrote:
| Anyone try this with tails/tor? how unique were they?
| buggeryorkshire wrote:
| I've no idea whether it works, but they misidentified many apps I
| don't have installed (Postman, Express VPN, Notion, Figma,
| Hotspot Shield)
|
| It does do the popup for VSCode asking if I want to open links
| there, which I do have installed.
| yjftsjthsd-h wrote:
| Yeah, it gave me quite a list of programs, including xcode and
| itunes, which is _fascinating_ on a Linux box... they list 20
| programs they think I have installed, of which I actually have
| 2. I 'm not sure _why_ it would be so inaccurate, but I feel
| better...
| nolok wrote:
| > I'm not sure why it would be so inaccurate, but I feel
| better...
|
| I don't think you understood the core of the issue: it's not
| about identifying which applications you have installed, it's
| about always getting the same result for the same user. If
| all your browsers serve the same results, you are trackable,
| no matter if those results are good or not.
| filmfact wrote:
| I think the implication is that this is far fewer bits of
| entropy than the authors indicate. Four bits (in
| isolation), are not a meaningful identifer.
| nolok wrote:
| It's not four, the fact that the others applications are
| reliably detected as not present are additional bits.
| dathinab wrote:
| I guess (and just that), that this can happen if there are
| overlaps in the scheme handlers.
|
| I.e. there are some schemas which lets say XCode handles but
| which also some other program handles.
| buggeryorkshire wrote:
| Yeah makes sense if it's the schema handlers. I'd just not be
| as assertive if I was them that something was installed if
| there was overlap.
| dathinab wrote:
| It also doesn't work at all under Chromium for Linux no
| idea why but the result is complete garbage.
| valve1 wrote:
| yeah, chrome/chromium on linux not tested at all, mostly
| because nobody on the team is using linux. We tested it
| on MacOS Big Sur and a bit of Windows. Full table of what
| was tested here:
| https://github.com/fingerprintjs/external-protocol-
| flooding#... dathinab
| agilob wrote:
| Tried Chrome, Brave and Firefox, got 3 different IDs.
|
| On one of the browsers it also didn't detect slack and vscode
| being installed.
| dathinab wrote:
| > didn't detect slack and vscode being installed.
|
| Is it you main browser in which you had used slack url's/ set
| slack to always handle the links?
|
| Or is it the opposite?
|
| Or maybe something else?
| kdarutkin wrote:
| Hi, agilob. I've updated the demo for Chromium and made it work
| slower, in order to increase accuracy. See also
| https://news.ycombinator.com/item?id=27147325
| akersten wrote:
| I'm going to close a website as soon as I get an unprompted popup
| that says "Firefox is trying to open Slack."
|
| It's clever but somewhat obvious (in both a to-the-user-that-its-
| happening and a "well of course it's possible" sense).
|
| So it's cute, but not practical, and I won't lose sleep over it.
| I'll probably be more inconvenienced by the mitigations that will
| surely result that make it that much more painful to actually
| launch a URL scheme, sadly
|
| I've actually never checked the "Always open Slack for slack://
| links" or similar checkboxes, precisely out of predicting
| shenanigans like this would happen eventually :)
|
| I wouldn't be too offended if browsers changed the way they
| handle schemes: always open a "how would you like to handle this
| link" dialog for any protocol (even if unhandled - like how
| Windows shows the "how would you like to open this file" dialog),
| to disguise whether the protocol is handled or not. Not sure I
| have the answer for user convenience though if someone is used to
| things automatically opening. That's the "inconvenience" aspect
| of any potential mitigation.
| edoceo wrote:
| Only one right answer on my machine - that's ~5% accurate.
|
| Linux/Chrome
| bryanrasmussen wrote:
| This seems less promising as a means to uniquely identify users
| than supercookies, Time-Based Device Fingerprinting, or other
| hardware based methods.
| butz wrote:
| At least 9 of those programs could be "installed to desktop" on
| supported Chromium based browsers. That not only lowers your
| fingerprint in this particular vulnerability, but also saves
| quite a bit of disk space.
| Isthatablackgsd wrote:
| It seem that Vivaldi have better protection against this than the
| rest. Running in Vivaldi will cause the demo down to crawl
| because I think it was trying to find the apps. It detected all
| of the apps but it failed to appear in the detected list. MacOS
| Big Sur Apple Silicon if you are wondering
| elmo2you wrote:
| Aside from profiling, can these custom URL handlers also be used
| as an attack vector on other installed applications?
|
| That is, assuming any of those happens to be installed and have a
| (input sanitation related) vulnerability.
|
| Maybe I'm just seeing ghosts here. But the idea of a web site
| pushing malicious links to whatever software may also be
| installed on the same machine, isn't a very comforting thought.
___________________________________________________________________
(page generated 2021-05-13 23:00 UTC)