Data URI scheme bypasses the readout API block

[takayatodoroki]

Description

Using a Data URI scheme instead a classic HTML/JS bypasses the readout API block

Expected Behavior

The readout API block, if set in the add-on configuration, should work in any circumstance.

Current Behavior

Despite the readout API block set in the add-on configuration a Data URI scheme can execute code able to readout (and write) from Canvas.

Steps to Reproduce (for bugs)

paste this simple fingerprinting code (not very fingerprinting, it's just a concept), in the browser URL bar and it will popoup your fingerprinted id:

data:text/html,<html><head><script>window.onload=showId;function showId(){var CanvaS,ctxS,ciS,S,W,H;var e=0.0;var C=document.createElement("canvas");C.width=400;C.height=400;C.id="canvasS";document.body.appendChild(C);CanvaS=document.getElementById("canvasS");ctxS=CanvaS.getContext("2d");W=CanvaS.width;H=CanvaS.height;ctxS.textBaseline="top";ctxS.font="1.01emOptimer,verdana";ctxS.fillStyle="rgba(255,255,255,1)";ctxS.fillText("Test",0,0);ciS=ctxS.getImageData(0,0,W,H);S=ciS.data;for(var x=0;x<W*H*4;x++){e=e+S[x]*x;}alert("id:"+e);}</script></head></html>

it uses getImageData to elaborate how the text 'Test' is rendered

Context

I did some research and it seems that Firefox (as well as other browser) now limits the ways Data URI scheme can be used. I tried to use as iframe, as link, as pop-up window and as image source with no success (luckily). I tried even to use the base64 encoded version (to avoid problems with escaping characters and such):

data:text/html;base64,PGh0bWw+PGhlYWQ+PHNjcmlwdD53aW5kb3cub25sb2FkPXNob3dJZDtmdW5jdGlvbiBzaG93SWQoKXt2YXIgQ2FudmFTLGN0eFMsY2lTLFMsVyxIO3ZhciBlPTAuMDt2YXIgQz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJjYW52YXMiKTtDLndpZHRoPTQwMDtDLmhlaWdodD00MDA7Qy5pZD0iY2FudmFzUyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChDKTtDYW52YVM9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNhbnZhc1MiKTtjdHhTPUNhbnZhUy5nZXRDb250ZXh0KCIyZCIpO1c9Q2FudmFTLndpZHRoO0g9Q2FudmFTLmhlaWdodDtjdHhTLnRleHRCYXNlbGluZT0idG9wIjtjdHhTLmZvbnQ9IjEuMDFlbU9wdGltZXIsdmVyZGFuYSI7Y3R4Uy5maWxsU3R5bGU9InJnYmEoMjU1LDI1NSwyNTUsMSkiO2N0eFMuZmlsbFRleHQoIlRlc3QiLDAsMCk7Y2lTPWN0eFMuZ2V0SW1hZ2VEYXRhKDAsMCxXLEgpO1M9Y2lTLmRhdGE7Zm9yKHZhciB4PTA7eDxXKkgqNDt4Kyspe2U9ZStTW3hdKng7fWFsZXJ0KCJpZDoiK2UpO308L3NjcmlwdD48L2hlYWQ+PC9odG1sPg==

It still works manually pasting it on the URL bar, but it does not work in any other way i tested.

But here the problem: at the end I've tested the code in combination with a service that compresses the HTML/JS code and then decompresses it in real time in data:text (the service is https://itty.bitty.site). And here the final exploit:

maliciuos link that can bypass readout blocking

Your Environment

• CanvasBlocker Version used: 0.4.5c
• Firefox version: 61.0.1 (64-bit)
• Operating System and version (desktop): Windows 7 ultimate 64-bit

Your Settings

{ "logLevel": 1, "urlSettings": [], "whiteList": "", "blackList": "", "blockMode": "blockReadout", "minFakeSize": 1, "maxFakeSize": 0, "rng": "nonPersistent", "apiWhiteList": {}, "useCanvasCache": true, "ignoreFrequentColors": 0, "minColors": 0, "fakeAlphaChannel": false, "persistentRndStorage": "", "storePersistentRnd": false, "persistentRndClearIntervalValue": 0, "persistentRndClearIntervalUnit": "days", "lastPersistentRndClearing": 0, "askOnlyOnce": "individual", "askDenyMode": "block", "showCanvasWhileAsking": true, "showNotifications": true, "storeImageForInspection": false, "notificationDisplayTime": 30, "ignoreList": "", "showCallingFile": false, "showCompleteCallingStack": false, "enableStackList": false, "stackList": "", "displayAdvancedSettings": true, "displayDescriptions": false, "isStillDefault": false, "storageVersion": 0.3 }

[kkapsner]

Thanks for your effort. I had similar findings and think I can create a vector that does not rely on a third party service.

Unfortunately I think this is a Firefox-problem. But I will see if there is a way to fix this anyway (despite of filing a bug for Firefox).

[kkapsner]

Bugzilla is down at the moment - so I cannot file a bug. but Chrome has the same issue: https://bugs.chromium.org/p/chromium/issues/detail?id=55084 - quite old and still not fixed.

At least the iframe containing the real fingerprint cannot access the original web page. Let's see if there are other ways to get the fingerprint to the attacer.

[kkapsner]

Well - bad news: it was quite simple to get the fingerprint data to any server but I found no way of protecting the browser against this fingerprint leak. No way to detect that the

The only way I found was to go the NoScript way: disable scripts completely which propagates to the data URL page. But this renders the modern web useless.

[kkapsner]

The bug is filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1475831

[kkapsner]

Second bug which prevented a workaround: https://bugzilla.mozilla.org/show_bug.cgi?id=1475832

[spodermenpls]

Good job, I gave both filed bugs an upvote - the added gravitas should prevent them from being neglected now. 😅

[kkapsner]

This is weird - a different workaround that I tried yesterday now works today.

[kkapsner]

The new release is out.

[kkapsner]

I want to keep it open as I do not like the current workaround...

[crssi]

Given my vote on both bugzilla.

[Floppyjoe]

I left a comment on one of your other bugs that I was having a problem with you CanvasBlocker add-on that I thought was disrupting the speedtests I was doing. Now the speedtest site said it had a problem with my adblocker even though I never see any adds on the speedtest website with adblocker disabled. The speedtests work now, but now I have a new problem with your latest release. When I use facebook, facebook does not work. at first I could not access any web pages with CanvasBlocker enabled. It showed me a page with a unicorn on it when I tried to come to this page. Showing that it did not exist. Maybe some higher powers at work here. But I can't seem to use the internet with your CanvasBlocker enabled. When I try to revert to an older version it does not allow me to install it because it is not verified. What do you suggest?

[kkapsner]

You are right: this could be related to this workaround. Please open a new issue with all you information.

But you should be able to go to an older version: https://addons.mozilla.org/de/firefox/addon/canvasblocker/versions/ (the versions on github do not work: #210)

[kkapsner]

Well... while looking in #211 I noticed that there is a workaround for my workaround. Let's see how I can fix this without worsening #211 .

[kkapsner]

It's even worse than I thought. The workaround might not work in all cases.

[kkapsner]

Version 0.5.1.0 is out and will now block all data URLs in iFrames and

[ThinkChaos]

Hi, as per bugzilla, Firefox 128 includes the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1475831 :)