[tbb-bugs] #22919 [Applications/Tor Browser]: Form tracking and OS fingerprinting (only Windows, but without Javascript)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 14 10:18:10 UTC 2017

#22919: Form tracking and OS fingerprinting (only Windows, but without Javascript)
     Reporter:  basvd                     |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Major                     |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 I found out that TOR (/Firefox) is using a weak implementation of a
 (pseudo)random number generator. On form submission Firefox always sends
 an unique boundary delimiter together with the POST data. But this unique
 boundary string isn't so unique as it looks like.

 For example, when you send a multipart form request the number is always
 the first time: 41184676334, 2nd time: 265001916915724, 3th time:
 114782935826962, etc..

 Try it yourself: build a multipart form and check the POST data:

 <form action="/" method="post" enctype="multipart/form-data">
  <input type="submit" value="Submit">
 Content-Type: multipart/form-data;

 Content-Length: 63-----------------------------41184676334--

 '''1) OS fingerprinting for Windows
 '''It looks like the implementation between Windows and Linux is
 different. Windows isn't seeding srand() calls. In this way we're 99% sure
 that boundary string with 41184676334, 265001916915724, 114782935826962
 came from a Windows OS.

 '''2) "track" form submissions between websites.
 '''On website_A I submit a form mulitple times. Now, the owner of
 website_B is able to read the boundary string and can check how many times
 a user submitted a form on website_A.

 '''3) "track" form interactions on other websites.
 '''For example, I'm the owner of website_A, and website_B is a photo
 upload website. If the user goes from website_A to B and later he came
 back to my website, I'm able to know if the user uploaded a photo on the
 other website:

  * website_A (boundary: 41184676334)
  * website_B (??)
  * website_A (boundary: 114782935826962)

 As you can see only 265001916915724 is missing, so he did one action on
 the other website.

 '''4) Fake boundaries for file uploads
 '''It is possible to inject fake data in a file and let you browser think
 that you've uploaded 2 files. In this way it is possible to upload 2 files
 by uploading only one. Of course it also depends on server side
 validation, but for the browser this seems to be okay. Example on
 [https://bugzilla.mozilla.org/show_bug.cgi?id=461204 Bugzilla]

 Without Javascript we're able to know if an user is running on Windows and
 we're able to know how many times a user submitted a form (... on another

 '''Technical analysis:'''
 The [https://dxr.mozilla.org/mozilla-
 central/source/dom/html/HTMLFormSubmission.cpp#430 current implementation]
 of the boundary delimiter in Firefox:

 As you can see RAND() is called without seeding this function. Every time
 you'll (re)start TOR, the browser also resets the seed. Without a good
 seed the output is of rand is
 [http://statweb.stanford.edu/~serban/116/random.txt always predictable].
 At least on Windows, I think Linux has a different implementation of PRNG.

 A solution is to seed RAND() with the PID or something else that's not
 public (like dates or timestamps).

 5 years ago there was also a discussion about this topic on Bugzilla:

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22919>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list