[tbb-bugs] #14560 [Tor Browser]: Tor Browser: Font probing vulnerability using dynamically generated iframes

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 30 22:35:18 UTC 2015

#14560: Tor Browser: Font probing vulnerability using dynamically generated iframes
 Reporter:  Peter_Baumann_TUD  |          Owner:  tbb-team
     Type:  defect             |         Status:  new
 Priority:  normal             |      Milestone:
Component:  Tor Browser        |        Version:  Tor: unspecified
 Keywords:  Fingerprinting     |  Actual Points:
Parent ID:                     |         Points:

 I'm a computer science student at TU Darmstadt, Germany, and as a part of
 my Master Thesis about the development of browser fingerprinting
 countermeasures I examined the anti-fingerprinting capabilities of Tor
 Browser. As a result of this examination I found a flaw in the protection
 against font probing that can be used to probe for an inexhaustible amount
 of fonts. I developed a small JavaScript application that can test for
 more than 600 fonts in less than a second (see attached). This
 vulnerability poses a risk to a user's privacy, as it can potentially be
 used to track users over the course of several browser sessions and among
 various websites.


 Tor browser limits the total number of fonts that can be used in a
 document. By default, a document can use 10 fonts. So if a fingerprinter
 tries to probe for more than 10 fonts, he only gets reported that these
 fonts are missing.
 However, this design has a flaw, as it didn't consider that iframes also
 have their own document body. Therefore, in order to circumvent this
 limitation, a fingerprinting script might dynamically generate an iframe
 for each package of 10 fonts, probe for their existence, until all fonts
 have been probed for.

 '''Note: '''The maximum number of possible fonts can be changed by the
 user. The fingerprinting script could easily probe for this threshold, as
 I found out that an already loaded font can't be loaded again, once this
 limit is reached.

 '''The script:'''

 I implemented a small script based on this observation. It creates iframes
 and probes for 10 fonts, using HTML 5 canvas element and the function
 measureText() provided by JavaScript. I assume that this approach also
 works with the classical implementation using CSS + JS, but I leave the
 experiments to some one else.
 For the script and a screenshot see the appended files.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14560>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list