Javascript Template Attack
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Javascript Template Attack
Good Day Community,
I just stumbled upon this article about how JS is used to aid in fingerprinting, and was wondering how you rate the issue in terms of seriousness. Also, is Palemoon more resistant to these attacks than other browsers? Is this attack something to be concerned about?
https://www.zdnet.com/article/javascrip ... g-vectors/
Kind Regards,
fatboy
I just stumbled upon this article about how JS is used to aid in fingerprinting, and was wondering how you rate the issue in terms of seriousness. Also, is Palemoon more resistant to these attacks than other browsers? Is this attack something to be concerned about?
https://www.zdnet.com/article/javascrip ... g-vectors/
Kind Regards,
fatboy
Systemd Free - MX Linux, Antix Linux & Artix Linux
Re: Javascript Template Attack
Pale Moon is about as susceptible to this as any other browser, for the simple fact that it abuses a widely-used ES6 feature (reflections) to collect properties. Because reflections are widely used, there is also no easy way to mitigate this, considering it is specced and desired behavior.
The upside is that compared to Firefox, there's a lot less to gather from our prototype chains so it falls into a position similar to Chrome that exposes fewer properties than Firefox.
The upside is that compared to Firefox, there's a lot less to gather from our prototype chains so it falls into a position similar to Chrome that exposes fewer properties than Firefox.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Javascript Template Attack
I doubt if all this can be done with JavaScript and if so, then what happened because it was not like this before. Or are they targeting mobile phones only (amusement devices)?The research team said tests showed their method was able to distinguish between all 40 tested environments; distinguish browser down to exact version; determine installed extensions based on how they modified native property values; determine even individual extension settings; determine extremely technical details such as the CPU vendor, actual operating system (not the one declared by user agents, which can be faked); determine the presence of a browser private mode; and even if the browser was running from within a virtual machine.
Re: Javascript Template Attack
I've read part of the white paper: they use reflection to collect the values contained in various javascript objects, either built-in (e.g. window) or user-created.
There's then a part of "pruning" which removes duplicates and some data considered not important; then they analisys from what they gathered, but I didn't read in detail.
As Moonchild says, it's simply using a feature defined by the standard, and how much data is collected depends on how much data the browser exposes, with a minimum amount as defined by the standard itself (i.e. some properties are always exposed and available to be collected if an implementation wants to be standard-compliant.)
Some browsers exposes more data for one reason or another.
Also, with this it's possible to recognize if some "anti-fingerprinting" measure was taken to some extent, as by comparing the already-collected data with data collected during a fingerprint analisys can show which properties have been tampered with, especially if the tampered value is strange (e.g. because it was randomized.)
Re: Javascript Template Attack
(My earlier post was serious, btw. Guess I should have included the .)
Anyhow...
Why such the large discrepancies between the Documented & Undocumented Properties?
And I take it that these "properties" are individual points of data that can be queried & values reported back.
Anyhow...
Why such the large discrepancies between the Documented & Undocumented Properties?
And I take it that these "properties" are individual points of data that can be queried & values reported back.
Re: Javascript Template Attack
Ultimately this is no different than what has been done on purpose by websites for a long time already, by e.g. examining different properties of the navigator object to do browser detection. The only difference is that with reflection, it becomes easier to enumerate all properties, including those you didn't know existed before. Even without reflection, you could still gather this data if you use an extensive lookup table, so there really is no way to mitigate this, aside from trying to "hammer shut" all environmental properties that could possibly contain data that can be used for fingerprinting, but that really is a prayer without end. Many of these properties are also required for content-interactive code to function.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Javascript Template Attack
It seems to be based on this old work:
https://github.com/Jumabek/jstemplate
For a good defense, Noscript or eMatrix is sufficient.
https://github.com/Jumabek/jstemplate
For a good defense, Noscript or eMatrix is sufficient.
- Utnapishtim
- Fanatic
- Posts: 141
- Joined: 2018-07-12, 02:42
- Location: Win7
Re: Javascript Template Attack
QFT. Even if you don't block 1st party scripts by default, it's good sense to block scripts and CSS from analytics domains. Simply nothing good ever comes from those places.
Re: Javascript Template Attack
Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
Re: Javascript Template Attack
Yes, it can. Presenting different properties to page content is always possible with a proper extension.F22 Simpilot wrote: ↑2019-06-15, 07:01Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
But what are you going to target? It's probably simpler just to maintain a blocklist of bad actors and use your favorite adblocker/scriptblocker to block the sources instead of trying to keep up with the intricacies of what properties to poison.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Javascript Template Attack
Even with uBlock Origin, obviously as for other extensions not set to default, it is possible to obtain excellent protection.
Anyone can check whether to use the Medium Blocking Mode:
https://github.com/gorhill/uBlock/wiki/ ... edium-mode
or the Hard Blocking Mode:
https://github.com/gorhill/uBlock/wiki/ ... -hard-mode
Anyone can check whether to use the Medium Blocking Mode:
https://github.com/gorhill/uBlock/wiki/ ... edium-mode
or the Hard Blocking Mode:
https://github.com/gorhill/uBlock/wiki/ ... -hard-mode
Re: Javascript Template Attack
So I guess I don't understand what the code does. Can't you just poison everything so that no matter what site you come across they get mixed results? There by eliminating the need to use a list of bad actors.Moonchild wrote: ↑2019-06-15, 10:52Yes, it can. Presenting different properties to page content is always possible with a proper extension.F22 Simpilot wrote: ↑2019-06-15, 07:01Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
But what are you going to target? It's probably simpler just to maintain a blocklist of bad actors and use your favorite adblocker/scriptblocker to block the sources instead of trying to keep up with the intricacies of what properties to poison.
Re: Javascript Template Attack
You can, ... and then you will completely break every framework, script and web application in existence.F22 Simpilot wrote: ↑2019-06-15, 16:28Can't you just poison everything so that no matter what site you come across
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Javascript Template Attack
This kind of work is able to recognize wether you are using anti-fingerprinting measures and fingerprint you.F22 Simpilot wrote: ↑2019-06-15, 16:28So I guess I don't understand what the code does. Can't you just poison everything so that no matter what site you come across they get mixed results? There by eliminating the need to use a list of bad actors.
This is because poisoning give unrealistic results when certain properties are analyzed, at least compared to data collected from "untampered" browsers.
Also what Moonchild said.
Re: Javascript Template Attack
I m a little thick this morning and would appreciate someone spelling out just what the problem is. Ok, so some browser properties are available. Well that is no biggy as the web depends on a modicum of browser info to better serve different visitors.
I recall mention of ALL browsers but wonder which provide more info than others and whether the bulk of its success is mainly with amusement devices like mobile phones. I can imagine Chrome providing more info because that is something that Google would want in their browser to enhance ad profiling. But is it really a problem with Pale Moon?
I recall mention of ALL browsers but wonder which provide more info than others and whether the bulk of its success is mainly with amusement devices like mobile phones. I can imagine Chrome providing more info because that is something that Google would want in their browser to enhance ad profiling. But is it really a problem with Pale Moon?
Re: Javascript Template Attack
The deal is that the process is automated, so instead of analyzing only a selected hand-picked properties (taken either from the standard or from experimenting), you can dump all you can get from the browser somewhere and process it, including "hidden" properties and other similar stuff.
The "template" in the name is because attackers can build a "template" out of clean profiles of browsers in a relatively short time, then they compare the template with data they gathered in the wild and infere something out of it.
The "template" in the name is because attackers can build a "template" out of clean profiles of browsers in a relatively short time, then they compare the template with data they gathered in the wild and infere something out of it.