[tor-bugs] #9308 [Firefox Patch Issues]: JavaScript's BrowserFeedWriter() leaks installation paths on OS X
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 22 20:45:57 UTC 2013
#9308: JavaScript's BrowserFeedWriter() leaks installation paths on OS X
----------------------------------+-----------------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: defect | Status: new
Priority: critical | Milestone:
Component: Firefox Patch Issues | Version: Tor: 0.2.3.25
Keywords: tbb-fingerprinting | Parent: #5922
Points: | Actualpoints:
----------------------------------+-----------------------------------------
In #5922 it was claimed that the vulnerability uncovered at Defcon 17 by
Gregory Fleischer (http://pseudo-flaw.net/tor/torbutton/browserfeedwriter-
error.html) doesn't affect TBB on OS X. I have just replicated this bug on
2.3.25-10.
When the TBB is installed in a user's homedir, calling (new
BrowserFeedWriter()).close() will leak their username in a JS exception.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9308>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list