[tbb-bugs] #14560 [Tor Browser]: Tor Browser: Font probing vulnerability using dynamically generated iframes

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 30 22:35:18 UTC 2015 

#14560: Tor Browser: Font probing vulnerability using dynamically generated iframes
-------------------------------+----------------------------------
 Reporter:  Peter_Baumann_TUD  |          Owner:  tbb-team
     Type:  defect             |         Status:  new
 Priority:  normal             |      Milestone:
Component:  Tor Browser        |        Version:  Tor: unspecified
 Keywords:  Fingerprinting     |  Actual Points:
Parent ID:                     |         Points:
-------------------------------+----------------------------------
 Hello,

 I'm a computer science student at TU Darmstadt, Germany, and as a part of
 my Master Thesis about the development of browser fingerprinting
 countermeasures I examined the anti-fingerprinting capabilities of Tor
 Browser. As a result of this examination I found a flaw in the protection
 against font probing that can be used to probe for an inexhaustible amount
 of fonts. I developed a small JavaScript application that can test for
 more than 600 fonts in less than a second (see attached). This
 vulnerability poses a risk to a user's privacy, as it can potentially be
 used to track users over the course of several browser sessions and among
 various websites.

 '''Description:'''

 Tor browser limits the total number of fonts that can be used in a
 document. By default, a document can use 10 fonts. So if a fingerprinter
 tries to probe for more than 10 fonts, he only gets reported that these
 fonts are missing.
 However, this design has a flaw, as it didn't consider that iframes also
 have their own document body. Therefore, in order to circumvent this
 limitation, a fingerprinting script might dynamically generate an iframe
 for each package of 10 fonts, probe for their existence, until all fonts
 have been probed for.

 '''Note: '''The maximum number of possible fonts can be changed by the
 user. The fingerprinting script could easily probe for this threshold, as
 I found out that an already loaded font can't be loaded again, once this
 limit is reached.

 '''The script:'''

 I implemented a small script based on this observation. It creates iframes
 and probes for 10 fonts, using HTML 5 canvas element and the function
 measureText() provided by JavaScript. I assume that this approach also
 works with the classical implementation using CSS + JS, but I leave the
 experiments to some one else.
 For the script and a screenshot see the appended files.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14560>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list