Detect access to navigator plugin and mimeType details - Githubissues

ghostwords / chameleon

Browser fingerprinting protection for everybody.

Mozilla Public License 2.0

532 stars 61 forks source link

Detect access to navigator plugin and mimeType details #19

Open gunesacar opened 9 years ago

gunesacar commented 9 years ago

Currently Chameleon cannot intercept access to high entropy plugin properties such as name, filename and description. It only counts the number of accesses to navigator.plugins.

Here's a simple demo page. The script on the page enumerates all the details about navigator.plugins, but the access to individual plugin properties goes unnoticed.

ghostwords commented 9 years ago

Chameleon's injected page script detects the navigator accesses (as per the following developer-mode page console output), but it looks like Chameleon proper never receives that info.

Navigator.plugins prop access: https://securehomes.esat.kuleuven.be/~gacar/dev/test/navfp/nav_plugins_fp.html:6:29
Error
    at Navigator.Object.defineProperty.get [as plugins] (<anonymous>:11:1064)
    at enum_plugins (nav_plugins_fp.html:6)
    at onload (nav_plugins_fp.html:14)

Navigator.plugins prop access: https://securehomes.esat.kuleuven.be/~gacar/dev/test/navfp/nav_plugins_fp.html:8:17
Error
    at Navigator.Object.defineProperty.get [as plugins] (<anonymous>:11:1064)
    at enum_plugins (nav_plugins_fp.html:8)
    at onload (nav_plugins_fp.html:14)

Navigator.plugins prop access: https://securehomes.esat.kuleuven.be/~gacar/dev/test/navfp/nav_plugins_fp.html:8:17
Error
    at Navigator.Object.defineProperty.get [as plugins] (<anonymous>:11:1064)
    at enum_plugins (nav_plugins_fp.html:8)
    at onload (nav_plugins_fp.html:14)

Navigator.plugins prop access: https://securehomes.esat.kuleuven.be/~gacar/dev/test/navfp/nav_plugins_fp.html:8:17
Error
    at Navigator.Object.defineProperty.get [as plugins] (<anonymous>:11:1064)
    at enum_plugins (nav_plugins_fp.html:8)
    at onload (nav_plugins_fp.html:14)

Navigator.plugins prop access: https://securehomes.esat.kuleuven.be/~gacar/dev/test/navfp/nav_plugins_fp.html:8:17
Error
    at Navigator.Object.defineProperty.get [as plugins] (<anonymous>:11:1064)
    at enum_plugins (nav_plugins_fp.html:8)
    at onload (nav_plugins_fp.html:14)

Navigator.plugins prop access: https://securehomes.esat.kuleuven.be/~gacar/dev/test/navfp/nav_plugins_fp.html:8:17
Error
    at Navigator.Object.defineProperty.get [as plugins] (<anonymous>:11:1064)
    at enum_plugins (nav_plugins_fp.html:8)
    at onload (nav_plugins_fp.html:14)

I think the document.write calls clear the document (since they run after the document finished loading), which breaks Chameleon's communication channel between its injected page script and its injected content script.

ghostwords commented 9 years ago

While this scenario might be an acceptable edge case, it is true that Chameleon does not trap Plugin properties, only Navigator properties (such as PluginArray).

gunesacar commented 9 years ago

Great! I think trapping plugin properties may help a lot with filtering out false positives (e.g. just checking if you have Flash vs. plugin enumeration with full details).

Also, even when I get rid of document.write, I still get the ~same error you mentioned on the DevTools console. Here's a demo which accesses navigator.plugins and mimetypes without using document.write.

It seems simply accessing navigator.plugins or navigator.mimeTypes causes the error. For the record, I'm using the master branch on Chromium 41.0.

ghostwords commented 9 years ago

Oh, sorry, those aren't errors! It's just Chameleon figuring out the originating script using Chrome stack traces and me not bothering to edit the traces before dumping them to the console in dev mode.

gunesacar commented 9 years ago

Ugh, I see :) That make me feel like this: https://imgur.com/SL88Z6g

ghostwords commented 9 years ago

Ha ha!

ghostwords commented 9 years ago

On that second demo page Chameleon currently picks up a single hit for navigator.plugins and a single hit for navigator.mimeTypes. While that's correct, I agree it would be great to have a fuller picture of what happened to those properties that are in themselves enumerable lists of properties.

Also, "navigator enumeration" right now isn't as interesting as "font enumeration" or "canvas fingerprinting", I feel like. It's probably too coarse a metric; perhaps the solution is to break it down into "plugin enumeration" and "MIME type enumeration".

gunesacar commented 9 years ago

I think breaking it into plugin and mimeType enumeration is definitely a good idea.

Perhaps, enumeration of the remaining navigator properties could still be useful (e.g. for detecting scripts that traverse the navigator by for prop in navigator, or similar ways.)

ghostwords commented 9 years ago

Now that I turned off raw counting of property accesses (96f3468), this ticket should help (re-)light Chameleon on Panopticlick.