We found a stable Firefox identifier linking all your private Tor identities

Posted by danpinto 21 hours ago

We found a stable Firefox identifier linking all your private Tor identities(fingerprint.com)

768 points | 228 commentspage 2

codedokode 18 hours ago|

Honestly it seems that most of Web Standards are used mostly for fingerprinting - I think a small number of websites uses IndexedDB (who even needs it) for actually storing data rather than fingerprinting.

That's why expansion of web standards is wrong. Browser should provide minimal APIs for interacting with device and features like IndexedDB can be implemented as WebAssembly library, leaking no valuable data.

For example, if canvas provided only access to picture buffer, and no drawing routines calling into platform-specific libraries, it would become useless for fingerprinting.

Dwedit 18 hours ago||

You can use a browser extension like "Local Storage Editor" to see the contents of the Local Storage of a website. So far, I've seen it used for caching long-life images (like on gmail), or used as another way to do logins instead of cookies.

troupo 17 hours ago||

> You can use a browser extension like "Local Storage Editor" to see the contents of the Local Storage of a website.

Or just open dev tools

fc417fc802 12 hours ago|||

I'm with you up to the bit about canvas. The problem there is that if you want hardware acceleration then either you can't permit services to read back what was rendered (why do they need to do that again?) or else you're inevitably going to leak lots of very subtle platform specific details. Personally I think reading back the content of a canvas should be gated behind a permission dialog.

self-portrait 4 hours ago||

Why is Firefox DB open-source MPLv2.0 running .cpp indexedDBdatabses() script on the API:

namespace mozilla {

namespace dom::indexedDB {

using namespace mozilla::dom::quota;

using namespace mozilla::ipc;

using mozilla::dom::quota::Client;

biosboiii 7 hours ago||

Tor on Chromium, when?

Seriously, I am saddened that Chromium dominates the browser market as much as it does, but at this point the herd-immunity of Chromium is necessary to keep users safe.

keepamovin 5 hours ago|

To answer "Tor on Chromium, when?", well - you can actually do this right now using BrowserBox! It has a built-in tor-run function that connects Chrome to a Tor SOCKS proxy, and it wraps any other browsing-related network calls over torsocks as well.

Because it's an isolated remote browser, you also get a lot of flexibility. You can run BrowserBox itself as an onion hidden service connected to the clearnet, or connect BrowserBox to browse over Tor, or even do both at the same time. Since this Firefox IndexedDB vulnerability relies on persisting state, you can completely avoid it by running BrowserBox (based on Chromium), and doing it ephemerally. There's actually a new GitHub action [0] that makes spinning up a purely ephemeral, disposable session incredibly easy and would be immune to this kind of process-level state tracking.

The action runs BrowserBox on a GitHub Action Runner, you can specify whether you want a CloudFlare tunnel, or a tor tunnel (which comes with torweb access). And there's a conveneince script you can use to run from the command-line - which does the setup then spits out your login link.

All you need is a BrowserBox license (not free), but then you can use it.

I would consider this a lightweight Tor-proxied Browser, not a replacement for Tor Browser, at this time as there are likely edges and leaks that the official Tor Browser has long patched. However, as cases liek this IDB bug demonstrate - no security is perfect. If you simply want a way to access tor, and add an extra "ephemeral" hop on a runner, itself over Tor, and not trying to do anything especially sensitive or life-threatening - it's probably good.

[0]: https://github.com/marketplace/actions/browserbox

[1]: https://github.com/BrowserBox/BrowserBox

Amekedl 3 hours ago||

"The signal is not just stable. It also has high capacity." stopped reading right there also it's nothing that anybody using tails for example should have to worry about. Nothingburger.

Cider9986 10 hours ago||

https://archive.ph/BbVZo — for those that would rather be fingerprinted by Google than fingerprint-com

Meneth 19 hours ago||

I'm confused.

The IndexedDB UUID is "shared across all origins", so why not use the contents of the database to identify browers, rather than the ordering?

nneonneo 18 hours ago||

There's an instructive example on the page. Suppose a page creates the databases `a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p`, then queries their order. They might get, for example `g,c,p,a,l,f,n,d,j,b,o,h,e,m,i,k`, based on the global mapping of database names to UUIDs.

The key vulnerability here is that, for the lifetime of that Firefox process, any website that makes that set of databases is going to see the exact same output ordering, no matter what the contents of those databases are. That makes this a fingerprint: it's a stable, high-entropy identifier that persists across time, even if the contents of those databases are not preserved. It is shared even across origins (where the contents would not be), and preserved after website data is deleted -- all a website has to do to re-acquire the fingerprint is recreate the databases with the same names and observe their ordering.

Joe_Cool 17 hours ago||

As I understood not ANY website can see it. But the same website can see it regardless if you reset your identity in Tor Browser.

So it persists between anonymous sessions. So you could connect User A that logged out and reset the identity to User B who believed was using a fresh anonymous session and logged in afterwards.

stratos123 15 hours ago||

No, it does allow identification across different websites (the article says "both cross-origin and same-origin tracking"). Both websites just need to create some databases with the same names. Since the databases are origin-scoped, these aren't the same databases, so you can't just write some data into one and read it on another website. But it turns out that if two websites use the same names for all these databases, the order the list of databases is returned in is random-per-user but the same regardless of website.

lxgr 19 hours ago|||

The content is obviously scoped to an origin, or IndexedDB would be a trivial evercookie.

AgentME 18 hours ago||

It's the mapping of UUIDs to databases that is shared across origins in the browser. Only the subset of databases associated with an origin are exposed to that origin.

crazysim 20 hours ago||

I would imagine most users of Tor are using Tor Browser. I am reading there was a responsible disclosure to Mozilla but is it me or did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser? Do they like keep very close or is there a large lag?

flotzam 19 hours ago|

Tor Browser is always quick to rebase on the latest Firefox ESR. They released an update the next day:

https://blog.torproject.org/new-release-tor-browser-15010/

Fokamul 5 hours ago||

Imho, EU should make any fingerprinting illegal in all browsers.

And all browser devs should be required to actively fight against fingerprinting.

There is no legitimate need for fingerprinting in browsers.

jonathanstrange 5 hours ago|

Fingerprinting is done by servers, not by browsers, and it is already illegal in the EU when it is done without explicit user consent and according to the GDPR data handling requirements. The GDPR covers all of this, it doesn't matter where the data comes from.

VladVladikoff 12 hours ago|

What are these databases not scoped to origin of creation like cookies?

AgentME 12 hours ago|

They are. The leak is that if a webpage you visit creates several databases with certain names, the order is random but stays the same within the same browser session.

More comments...