[tor-talk] bug

Joe Btfsplk joebtfsplk at gmx.com
Mon Sep 12 19:55:43 UTC 2016


On 9/12/2016 9:41 AM, xuzixatem at polyfaust.com wrote:
> https://www.browserleaks.com/firefox
>
> it can be used for both fingerprinting (different users use different OS setups or different Tor versions) and exploiting software vulnerabilities because when attacker don’t know your OS or browser version they don’t know what payload can do the thing that if be used incorrectly will show a download warning that compromises their valuable malware to citizenlab like groups.
Using TBB, I looked at the link - browserleak.com/firefox - with JS 
disabled.  The code that supposedly detects values in firefox.js giving 
away the OS.

10. var el = document.createElement("script");
11.      el.type = "text/javascript";
12.      el.onload = load;
13.      el.onerror = err;
14. document.head.appendChild(el);
15.      el.src = "resource:///defaults/preferences/firefox.js";
16. }
17.

18. var pref,
19.      sticky_pref,
20.      os;
21.

22. pref = sticky_pref = function(key, val) {
23. if (!os)
24. if (key == "browser.gesture.pinch.out" && val == "cmd_fullZoomEnlarge")
25.              os = "Windows";
26. else if (key == "browser.backspace_action" && val == "2")
27.              os = "Linux";
28. else if (key == "browser.gesture.pinch.threshold" && val == "150")
29.              os = "Mac";
30. var include = function(load, err) {
31. }
32.

33. include(function() {
34. console.log( "OS: " + (os ? os : "unknown") );
35. },function() {
36. console.log( "OS: n/a (not a Firefox)" );
37. });
38. </script>


The prefs & values the code is querying appears in about:config, as 
would many firefox.js settings.

Question for devs / Firefox experts:  many prefs are reported to sites 
so they can display content, but are they allowed to access every 
setting in about:config - default or user set?
This can't be correct.  That would make users very unique.

Is this bug somehow supposed to allow only querying firefox.js values & 
no other files?  Why is that?  If allowed access to firefox.js, why not 
all firefox files?










More information about the tor-talk mailing list