[HN Gopher] Barclays using TeamViewer font to warn customers
___________________________________________________________________
Barclays using TeamViewer font to warn customers
Author : dom96
Score : 208 points
Date : 2022-11-22 17:08 UTC (5 hours ago)
(HTM) web link (old.reddit.com)
(TXT) w3m dump (old.reddit.com)
| solarkraft wrote:
| I first heard of this trick many years ago. Why is it still
| possible to do this?
| chrsstrm wrote:
| Fingerprinting by detecting installed fonts is certainly
| interesting, esp since it could be used by both offense and
| defense. Digging in deeper, I'm wondering if it would be possible
| to craft a font that consists of Javascript fragments which could
| be rendered and eval'ed when a page loads. There must be
| something in the browser's rendering process that would block
| this, right?
| function_seven wrote:
| I'm not following your scenario here. How would a font be able
| to create these fragments at all?
|
| I can imagine a font _rendering_ a glyph as a line of code. But
| under the hood it would still be just a byte or bytes
| corresponding to that codepoint.
| mFixman wrote:
| You just need a program that registers the `'; DROP TABLE
| 'users` font and voila.
| tobyjsullivan wrote:
| I don't think this is what OP was talking about but fonts are
| Turing-complete and can introduce all manner of exploits.[0]
| However, getting the font installed seems like the hard bit -
| I don't see how loading it or detecting it in a website makes
| anything new possible.
|
| [0] https://www.trendmicro.com/vinfo/us/security/news/vulnera
| bil...
| snapcaster wrote:
| Seems like everything is turing complete these days. Good
| share, didn't know any of this stuff
| chrsstrm wrote:
| I'm not sure, but I suppose you would be correct.
| plorntus wrote:
| I was actually wondering if you could use this as another form
| of authentication (ignoring that WebAuthN and other such
| standards exists). For example create a font dynamically that
| when printing a specific string just outputs some form of data
| (eg. JWT encoded in a font glyph) that can be drawn to a canvas
| and read by the page.
|
| Could be some form of incredibly sticky authentication, unless
| the user removes the font will never go away. Nefarious and not
| sure there would ever be a legitimate usecase but sounds
| doable.
| moqmar wrote:
| I think TLS client certificates are basically the equivalent
| to this approach.
| px1999 wrote:
| I can confirm at least one Australian retail bank uses this
| fingerprinting too.
|
| In the past two weeks I have been locked out of an online banking
| portal with team viewer being one of the signals used to try to
| verify a suspicious looking transaction.
|
| Team viewer used to install a font, but that doesn't seem to be
| how they identify that anymore.
| shifty1 wrote:
| They are probably using something like https://www.biocatch.com/
| and https://risk.lexisnexis.co.uk/products/threatmetrix
|
| EDIT: yes they are
| excitom wrote:
| This reminds me of my favorite hackathon project. The idea was to
| guess which college/university a person attended when they
| visited our website. I put a list of links to college bookstores
| in a hidden iframe. Then I had javascript that scanned the list
| to see which links were showing the "visited" color.
|
| Browser people quickly realized the intrusive potential of this
| "feature" and disabled getting the visited status of a link.
| wslh wrote:
| How do you inspect an iframe from a third party? Since the
| iframe can't be read by a script from your site. Is there
| something missing in the explanation?
| Domenic_S wrote:
| I assume he owned the iframe that contained the links, and
| passed back the visited/not visited status with postmessage
| varun_ch wrote:
| I actually posted a demo of a modern spin on this here
| recently: https://news.ycombinator.com/item?id=30569396 :)
|
| Since browsers don't allow websites to detect the link colour,
| we can just trick the user into telling it for us.
|
| https://varun.ch/history
|
| After posting that, I got some emails from others, and someone
| shared a cool technique involving detecting how long it takes
| to paint the link to the screen. https://ndev.tk/visted/
| Arrath wrote:
| Clever!
| atyppo wrote:
| Seems similar to the story about Russian hackers being instructed
| to leave computers alone that have Russian language enabled. I
| don't think enough people are cognizant of the fingerprint that
| their browser leaves behind.
| somedude895 wrote:
| Apart from creepyness, it is absolutely amazing that the bank
| does that. I'm very impressed that a bank has such creative
| hacker minds to build a warning system like that.
| amendegree wrote:
| Its cool but really annoying that they still don't have a good
| API for importing my transactions to a budgeting app. At least
| their US site still requires logging in and scrapping, and of
| course their 2FA is still cell number only.
| 323 wrote:
| In many countries bank are sort of responsible if they
| authorize a payment from a hacked client.
|
| So there is a lot of incentives to detect hacked clients.
| nijave wrote:
| I'm guessing they see enough fraud that such a system quickly
| paid for itself.
|
| Still on the fence whether the creepiness is worth it, though.
| Seems like there are easier alternatives like "graylisting"
| where a transaction is in a pending state for 2-3 days where
| it's cancellable (and maybe can be expedited with a phone
| call). Seems like that'd offer a nice middle-ground between
| scanning your computer and protecting from scammers.
| asolove wrote:
| This is actually very common for any kind of security
| fingerprinting use-case in the browser, especially in
| banking/payments.
|
| If you work forwards from "wow, fonts are a weird fingerprint
| technique" it seems clever.
|
| But the reality is it's much more straightforward if you just
| work it backwards. Someone said: we have access to the
| customer's browser, what can we grab to throw into our ML
| model? You look in the DOM spec, grab every piece of data you
| can get from the customer's system and send it all. Fonts is
| one thing that ended up being useful.
|
| (I am not condoning this practice, just happen to be aware of
| it very well.)
| tpmx wrote:
| Agreed. I'd want to be a customer of that bank.
|
| Banks should be on the offense against fraud by default.
| arprocter wrote:
| "TeamViewer installs suspicious font only useful for web
| fingerprinting" (238 comments)
|
| https://news.ycombinator.com/item?id=32163940
| williamscales wrote:
| From smeej's comment:
|
| > Companies that routinely deal with remote access scams (I'm
| thinking especially of crypto exchanges) could check for this
| font and display specific warnings only to people who had
| TeamViewer installed on their Windows machine (probably
| disproportionately represented among scam victims).
|
| > TeamViewer is a long way from the only software being used
| for this, but it's kind of a cool opportunity.
| godshatter wrote:
| There is a firefox add-on called Font Fingerprint Defender. I
| haven't used it, so I can't say how well it works.
| butz wrote:
| What prevents fraudsters from deleting TeamViewer font to appear
| more legit?
| kube-system wrote:
| They are usually not particularly sophisticated nor thorough.
| [deleted]
| commandlinefan wrote:
| > Websites can see what fonts your computer has installed
|
| They can? I looked into this once - I was putting together a demo
| site for a friend who does graphic design (like physical signs)
| and he had a lot of unusual fonts installed on his computer that
| he would have liked to use from the website. He wanted a dynamic
| drop-down of all installed fonts so he could select the one to
| use in the demo, but as far as I could tell, Javascript doesn't
| allow that specifically because it could lead to browser
| fingerprinting/security problems.
| ipython wrote:
| Just spitballing but even if you can't enumerate the fonts, you
| could draw text with the targeted font on a hidden canvas
| element and check if the resulting pixels roughly resemble what
| would be expected versus a "fallback" font?
| lxgr wrote:
| I guess we need a "load fonts" opt-in flag for the Canvas API
| that sets the "no readback" flag that also gets tripped when
| loading non-same-origin images?
| Joeri wrote:
| Fingerprinting with fonts is done by measuring the size of
| especially selected glyphs at large font sizes.
| kube-system wrote:
| You can throw a big list at
| document.fonts.check()
|
| and it will tell you if it's on that system. For instance, try:
| console.log(document.fonts.check("12pt Apple Color Emoji"));
| commandlinefan wrote:
| Ah... so you can tell if a specific font is loaded, but not
| list which fonts there are. That makes sense, thanks.
| cyptus wrote:
| does teamviewer start any webserver on a local port which the
| banking page could connect to and check a _running_ instance?
| Would be much more interesting for fraud detection than a
| _installed_ instance
| mattw2121 wrote:
| I can confirm 100% that there are banks checking to see if
| teamviewer ports are open.
| thefreeman wrote:
| you can't query local services from a remote webpage unless you
| use a dns rebinding attack which is probably a bit over the top
| for "whitehat" activity.
| cyptus wrote:
| shouldn't it work by using websockets to localhost?
| smallerfish wrote:
| Sort of, and only with a lot of effort:
| https://incolumitas.com/2021/01/10/browser-based-port-
| scanni...
| cyptus wrote:
| but only because the local service in this example is not
| prepared to accept the websocket connection, the
| teamviewer client would be able to do this to enable some
| functions on the teamviewer website if a instance is
| running
| TillE wrote:
| The point of a check like this wouldn't be to bypass a
| firewall, just to see if the port is open on your public IP.
| ev1 wrote:
| I have encountered numerous sites that port scan localhost
| via websocket/img onerror/etc.
___________________________________________________________________
(page generated 2022-11-22 23:01 UTC)