Description
Using a Data URI scheme instead a classic HTML/JS bypasses the readout API block
Expected Behavior
The readout API block, if set in the add-on configuration, should work in any circumstance.
Current Behavior
Despite the readout API block set in the add-on configuration a Data URI scheme can execute code able to readout (and write) from Canvas.
Steps to Reproduce (for bugs)
paste this simple fingerprinting code (not very fingerprinting, it's just a concept), in the browser URL bar and it will popoup your fingerprinted id:
data:text/html,<html><head><script>window.onload=showId;function showId(){var CanvaS,ctxS,ciS,S,W,H;var e=0.0;var C=document.createElement("canvas");C.width=400;C.height=400;C.id="canvasS";document.body.appendChild(C);CanvaS=document.getElementById("canvasS");ctxS=CanvaS.getContext("2d");W=CanvaS.width;H=CanvaS.height;ctxS.textBaseline="top";ctxS.font="1.01emOptimer,verdana";ctxS.fillStyle="rgba(255,255,255,1)";ctxS.fillText("Test",0,0);ciS=ctxS.getImageData(0,0,W,H);S=ciS.data;for(var x=0;x<W*H*4;x++){e=e+S[x]*x;}alert("id:"+e);}</script></head></html>
it uses getImageData to elaborate how the text 'Test' is rendered
Context
I did some research and it seems that Firefox (as well as other browser)
now limits the ways Data URI scheme can be used.
I tried to use as iframe, as link, as pop-up window and as image source with no success (luckily).
I tried even to use the base64 encoded version (to avoid problems with escaping characters and such):
data:text/html;base64,PGh0bWw+PGhlYWQ+PHNjcmlwdD53aW5kb3cub25sb2FkPXNob3dJZDtmdW5jdGlvbiBzaG93SWQoKXt2YXIgQ2FudmFTLGN0eFMsY2lTLFMsVyxIO3ZhciBlPTAuMDt2YXIgQz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJjYW52YXMiKTtDLndpZHRoPTQwMDtDLmhlaWdodD00MDA7Qy5pZD0iY2FudmFzUyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChDKTtDYW52YVM9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNhbnZhc1MiKTtjdHhTPUNhbnZhUy5nZXRDb250ZXh0KCIyZCIpO1c9Q2FudmFTLndpZHRoO0g9Q2FudmFTLmhlaWdodDtjdHhTLnRleHRCYXNlbGluZT0idG9wIjtjdHhTLmZvbnQ9IjEuMDFlbU9wdGltZXIsdmVyZGFuYSI7Y3R4Uy5maWxsU3R5bGU9InJnYmEoMjU1LDI1NSwyNTUsMSkiO2N0eFMuZmlsbFRleHQoIlRlc3QiLDAsMCk7Y2lTPWN0eFMuZ2V0SW1hZ2VEYXRhKDAsMCxXLEgpO1M9Y2lTLmRhdGE7Zm9yKHZhciB4PTA7eDxXKkgqNDt4Kyspe2U9ZStTW3hdKng7fWFsZXJ0KCJpZDoiK2UpO308L3NjcmlwdD48L2hlYWQ+PC9odG1sPg==
It still works manually pasting it on the URL bar, but it does not work in any other way i tested.
But here the problem: at the end I've tested the code in combination with a service that compresses the HTML/JS code and then decompresses it in real time in data:text (the service is https://itty.bitty.site).
And here the final exploit:
maliciuos link that can bypass readout blocking
Your Environment
- CanvasBlocker Version used: 0.4.5c
- Firefox version: 61.0.1 (64-bit)
- Operating System and version (desktop): Windows 7 ultimate 64-bit
Your Settings
{
"logLevel": 1,
"urlSettings": [],
"whiteList": "",
"blackList": "",
"blockMode": "blockReadout",
"minFakeSize": 1,
"maxFakeSize": 0,
"rng": "nonPersistent",
"apiWhiteList": {},
"useCanvasCache": true,
"ignoreFrequentColors": 0,
"minColors": 0,
"fakeAlphaChannel": false,
"persistentRndStorage": "",
"storePersistentRnd": false,
"persistentRndClearIntervalValue": 0,
"persistentRndClearIntervalUnit": "days",
"lastPersistentRndClearing": 0,
"askOnlyOnce": "individual",
"askDenyMode": "block",
"showCanvasWhileAsking": true,
"showNotifications": true,
"storeImageForInspection": false,
"notificationDisplayTime": 30,
"ignoreList": "",
"showCallingFile": false,
"showCompleteCallingStack": false,
"enableStackList": false,
"stackList": "",
"displayAdvancedSettings": true,
"displayDescriptions": false,
"isStillDefault": false,
"storageVersion": 0.3
}
Description
Using a Data URI scheme instead a classic HTML/JS bypasses the readout API block
Expected Behavior
The readout API block, if set in the add-on configuration, should work in any circumstance.
Current Behavior
Despite the readout API block set in the add-on configuration a Data URI scheme can execute code able to readout (and write) from Canvas.
Steps to Reproduce (for bugs)
paste this simple fingerprinting code (not very fingerprinting, it's just a concept), in the browser URL bar and it will popoup your fingerprinted id:
data:text/html,<html><head><script>window.onload=showId;function showId(){var CanvaS,ctxS,ciS,S,W,H;var e=0.0;var C=document.createElement("canvas");C.width=400;C.height=400;C.id="canvasS";document.body.appendChild(C);CanvaS=document.getElementById("canvasS");ctxS=CanvaS.getContext("2d");W=CanvaS.width;H=CanvaS.height;ctxS.textBaseline="top";ctxS.font="1.01emOptimer,verdana";ctxS.fillStyle="rgba(255,255,255,1)";ctxS.fillText("Test",0,0);ciS=ctxS.getImageData(0,0,W,H);S=ciS.data;for(var x=0;x<W*H*4;x++){e=e+S[x]*x;}alert("id:"+e);}</script></head></html>it uses getImageData to elaborate how the text 'Test' is rendered
Context
I did some research and it seems that Firefox (as well as other browser)
now limits the ways Data URI scheme can be used.
I tried to use as iframe, as link, as pop-up window and as image source with no success (luckily).
I tried even to use the base64 encoded version (to avoid problems with escaping characters and such):
data:text/html;base64,PGh0bWw+PGhlYWQ+PHNjcmlwdD53aW5kb3cub25sb2FkPXNob3dJZDtmdW5jdGlvbiBzaG93SWQoKXt2YXIgQ2FudmFTLGN0eFMsY2lTLFMsVyxIO3ZhciBlPTAuMDt2YXIgQz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJjYW52YXMiKTtDLndpZHRoPTQwMDtDLmhlaWdodD00MDA7Qy5pZD0iY2FudmFzUyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChDKTtDYW52YVM9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNhbnZhc1MiKTtjdHhTPUNhbnZhUy5nZXRDb250ZXh0KCIyZCIpO1c9Q2FudmFTLndpZHRoO0g9Q2FudmFTLmhlaWdodDtjdHhTLnRleHRCYXNlbGluZT0idG9wIjtjdHhTLmZvbnQ9IjEuMDFlbU9wdGltZXIsdmVyZGFuYSI7Y3R4Uy5maWxsU3R5bGU9InJnYmEoMjU1LDI1NSwyNTUsMSkiO2N0eFMuZmlsbFRleHQoIlRlc3QiLDAsMCk7Y2lTPWN0eFMuZ2V0SW1hZ2VEYXRhKDAsMCxXLEgpO1M9Y2lTLmRhdGE7Zm9yKHZhciB4PTA7eDxXKkgqNDt4Kyspe2U9ZStTW3hdKng7fWFsZXJ0KCJpZDoiK2UpO308L3NjcmlwdD48L2hlYWQ+PC9odG1sPg==It still works manually pasting it on the URL bar, but it does not work in any other way i tested.
But here the problem: at the end I've tested the code in combination with a service that compresses the HTML/JS code and then decompresses it in real time in data:text (the service is https://itty.bitty.site).
And here the final exploit:
maliciuos link that can bypass readout blocking
Your Environment
Your Settings
{
"logLevel": 1,
"urlSettings": [],
"whiteList": "",
"blackList": "",
"blockMode": "blockReadout",
"minFakeSize": 1,
"maxFakeSize": 0,
"rng": "nonPersistent",
"apiWhiteList": {},
"useCanvasCache": true,
"ignoreFrequentColors": 0,
"minColors": 0,
"fakeAlphaChannel": false,
"persistentRndStorage": "",
"storePersistentRnd": false,
"persistentRndClearIntervalValue": 0,
"persistentRndClearIntervalUnit": "days",
"lastPersistentRndClearing": 0,
"askOnlyOnce": "individual",
"askDenyMode": "block",
"showCanvasWhileAsking": true,
"showNotifications": true,
"storeImageForInspection": false,
"notificationDisplayTime": 30,
"ignoreList": "",
"showCallingFile": false,
"showCompleteCallingStack": false,
"enableStackList": false,
"stackList": "",
"displayAdvancedSettings": true,
"displayDescriptions": false,
"isStillDefault": false,
"storageVersion": 0.3
}