search

ray-lothian / UserAgent-Switcher

A User-Agent spoofer browser extension that is highly configurable
https://webextension.org/listing/useragent-switcher.html
Mozilla Public License 2.0
923 stars 143 forks source link

[SECURITY] navigator.platform bug makes this plugin anti-privacy, worse than having nothing #115

Closed BugHunter1000 closed 3 years ago

BugHunter1000 commented 3 years ago

Hi I'm sure this is an honest mistake but it's pretty major, so if the title annoys you, well then I guess it does.

If you spin up a Linux VM and go here:

https://ipleak.net/

You will see that the System Information > Platform detection shows the host OS as Linux, even when the user agent is set to Windows. This is worse for privacy than not having a user agent set to something more common because the plugin user is placing a lot of trust in the plugin to get it right, and even a small nuance off will basically fully pinpoint that user's fingerprint and make them infinitely trackable. If that is not important to you, then the fact that this is inconsistent behavior and incorrect functionality from a purely programmatic viewpoint may be more interesting. Regardless, I believe you will agree that it necessitates a prompt fix.

I have taken the liberty of reverse engineering their detection code for your convenience, and you will see in the source that they do this:

jQuery("#system").html(IpLeak.dumpInfoSystem());
// Into:
dumpInfoSystem: function() {
    html = "";
    html += '<table class="properties details">';
    html += IpLeak.dumpKeyValue("Platform",navigator.platform);
    html += IpLeak.dumpKeyValue("Cookie enabled",navigator.cookieEnabled);
    html += IpLeak.dumpKeyValue("Java enabled",navigator.javaEnabled());
    if (navigator.taintEnabled) {
        html+=IpLeak.dumpKeyValue("Taint enabled",navigator.taintEnabled())
    }
    html += IpLeak.dumpKeyValue("Online",navigator.onLine);
    html += "</table>";
    return html
}

I believe that you can solve this quite egregious bug by forcing the navigator.platform value based on the list item selected or written by the plugin user.

However, this also begs the question, "what if a malicious website deletes the navigator.platform value?" and I would love your input on that, since I am not sure what the resulting behavior would be (and maybe it is Google / Mozilla's problem ultimately).

Anyway, I hope this did not offend you too much, and that it was useful.

Have a nice day.

ray-lothian commented 3 years ago

Thanks for the report. It was FF only bug. Should have been fixed by the next release.