Javascript Template Attack

General project discussion

Moderator: satrow

Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
fatboy
Fanatic
Fanatic
Posts: 206
Joined: 2017-12-19, 08:03

Javascript Template Attack

Unread post by fatboy » 2019-06-14, 09:17

Good Day Community,

I just stumbled upon this article about how JS is used to aid in fingerprinting, and was wondering how you rate the issue in terms of seriousness. Also, is Palemoon more resistant to these attacks than other browsers? Is this attack something to be concerned about?

https://www.zdnet.com/article/javascrip ... g-vectors/

Kind Regards,
fatboy

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24449
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-14, 11:18

Pale Moon is about as susceptible to this as any other browser, for the simple fact that it abuses a widely-used ES6 feature (reflections) to collect properties. Because reflections are widely used, there is also no easy way to mitigate this, considering it is specced and desired behavior.

The upside is that compared to Firefox, there's a lot less to gather from our prototype chains so it falls into a position similar to Chrome that exposes fewer properties than Firefox.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
WilliamK
Fanatic
Fanatic
Posts: 170
Joined: 2018-02-23, 06:51

Re: Javascript Template Attack

Unread post by WilliamK » 2019-06-14, 15:09

The research team said tests showed their method was able to distinguish between all 40 tested environments; distinguish browser down to exact version; determine installed extensions based on how they modified native property values; determine even individual extension settings; determine extremely technical details such as the CPU vendor, actual operating system (not the one declared by user agents, which can be faked); determine the presence of a browser private mode; and even if the browser was running from within a virtual machine.
I doubt if all this can be done with JavaScript and if so, then what happened because it was not like this before. Or are they targeting mobile phones only (amusement devices)?

vannilla
Astronaut
Astronaut
Posts: 618
Joined: 2018-05-05, 13:29

Re: Javascript Template Attack

Unread post by vannilla » 2019-06-14, 15:20

WilliamK wrote:
2019-06-14, 15:09
I doubt if all this can be done with JavaScript and if so, then what happened because it was not like this before. Or are they targeting mobile phones only (amusement devices)?
I've read part of the white paper: they use reflection to collect the values contained in various javascript objects, either built-in (e.g. window) or user-created.
There's then a part of "pruning" which removes duplicates and some data considered not important; then they analisys from what they gathered, but I didn't read in detail.
As Moonchild says, it's simply using a feature defined by the standard, and how much data is collected depends on how much data the browser exposes, with a minimum amount as defined by the standard itself (i.e. some properties are always exposed and available to be collected if an implementation wants to be standard-compliant.)
Some browsers exposes more data for one reason or another.
Also, with this it's possible to recognize if some "anti-fingerprinting" measure was taken to some extent, as by comparing the already-collected data with data collected during a fingerprint analisys can show which properties have been tampered with, especially if the tampered value is strange (e.g. because it was randomized.)

User avatar
therube
Board Warrior
Board Warrior
Posts: 1076
Joined: 2018-06-08, 17:02

Re: Javascript Template Attack

Unread post by therube » 2019-06-14, 15:35

(My earlier post was serious, btw. Guess I should have included the ;-).)

Anyhow...

Why such the large discrepancies between the Documented & Undocumented Properties?

And I take it that these "properties" are individual points of data that can be queried & values reported back.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24449
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-14, 15:47

Ultimately this is no different than what has been done on purpose by websites for a long time already, by e.g. examining different properties of the navigator object to do browser detection. The only difference is that with reflection, it becomes easier to enumerate all properties, including those you didn't know existed before. Even without reflection, you could still gather this data if you use an extensive lookup table, so there really is no way to mitigate this, aside from trying to "hammer shut" all environmental properties that could possibly contain data that can be used for fingerprinting, but that really is a prayer without end. Many of these properties are also required for content-interactive code to function.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 83
Joined: 2018-04-03, 16:17

Re: Javascript Template Attack

Unread post by Sampei Nihira » 2019-06-14, 16:26

It seems to be based on this old work:

https://github.com/Jumabek/jstemplate

For a good defense, Noscript or eMatrix is sufficient.

User avatar
Utnapishtim
Moonbather
Moonbather
Posts: 66
Joined: 2018-07-12, 02:42

Re: Javascript Template Attack

Unread post by Utnapishtim » 2019-06-14, 20:09

Sampei Nihira wrote:
2019-06-14, 16:26
For a good defense, Noscript or eMatrix is sufficient.
QFT. Even if you don't block 1st party scripts by default, it's good sense to block scripts and CSS from analytics domains. Simply nothing good ever comes from those places.

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 319
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Javascript Template Attack

Unread post by F22 Simpilot » 2019-06-15, 07:01

Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
If you're that smart and act like a dork, then you're not that smart after all. :geek:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24449
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-15, 10:52

F22 Simpilot wrote:
2019-06-15, 07:01
Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
Yes, it can. Presenting different properties to page content is always possible with a proper extension.
But what are you going to target? It's probably simpler just to maintain a blocklist of bad actors and use your favorite adblocker/scriptblocker to block the sources instead of trying to keep up with the intricacies of what properties to poison.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 83
Joined: 2018-04-03, 16:17

Re: Javascript Template Attack

Unread post by Sampei Nihira » 2019-06-15, 13:43

Even with uBlock Origin, obviously as for other extensions not set to default, it is possible to obtain excellent protection.
Anyone can check whether to use the Medium Blocking Mode:

https://github.com/gorhill/uBlock/wiki/ ... edium-mode

or the Hard Blocking Mode:

https://github.com/gorhill/uBlock/wiki/ ... -hard-mode

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 319
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Javascript Template Attack

Unread post by F22 Simpilot » 2019-06-15, 16:28

Moonchild wrote:
2019-06-15, 10:52
F22 Simpilot wrote:
2019-06-15, 07:01
Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
Yes, it can. Presenting different properties to page content is always possible with a proper extension.
But what are you going to target? It's probably simpler just to maintain a blocklist of bad actors and use your favorite adblocker/scriptblocker to block the sources instead of trying to keep up with the intricacies of what properties to poison.
So I guess I don't understand what the code does. Can't you just poison everything so that no matter what site you come across they get mixed results? There by eliminating the need to use a list of bad actors.
If you're that smart and act like a dork, then you're not that smart after all. :geek:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24449
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-15, 16:39

F22 Simpilot wrote:
2019-06-15, 16:28
Can't you just poison everything so that no matter what site you come across
You can, ... and then you will completely break every framework, script and web application in existence. :)
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

vannilla
Astronaut
Astronaut
Posts: 618
Joined: 2018-05-05, 13:29

Re: Javascript Template Attack

Unread post by vannilla » 2019-06-15, 21:40

F22 Simpilot wrote:
2019-06-15, 16:28
So I guess I don't understand what the code does. Can't you just poison everything so that no matter what site you come across they get mixed results? There by eliminating the need to use a list of bad actors.
This kind of work is able to recognize wether you are using anti-fingerprinting measures and fingerprint you.
This is because poisoning give unrealistic results when certain properties are analyzed, at least compared to data collected from "untampered" browsers.
Also what Moonchild said.

User avatar
WilliamK
Fanatic
Fanatic
Posts: 170
Joined: 2018-02-23, 06:51

Re: Javascript Template Attack

Unread post by WilliamK » 2019-06-16, 00:56

I m a little thick this morning and would appreciate someone spelling out just what the problem is. Ok, so some browser properties are available. Well that is no biggy as the web depends on a modicum of browser info to better serve different visitors.

I recall mention of ALL browsers but wonder which provide more info than others and whether the bulk of its success is mainly with amusement devices like mobile phones. I can imagine Chrome providing more info because that is something that Google would want in their browser to enhance ad profiling. But is it really a problem with Pale Moon?

vannilla
Astronaut
Astronaut
Posts: 618
Joined: 2018-05-05, 13:29

Re: Javascript Template Attack

Unread post by vannilla » 2019-06-16, 01:04

The deal is that the process is automated, so instead of analyzing only a selected hand-picked properties (taken either from the standard or from experimenting), you can dump all you can get from the browser somewhere and process it, including "hidden" properties and other similar stuff.
The "template" in the name is because attackers can build a "template" out of clean profiles of browsers in a relatively short time, then they compare the template with data they gathered in the wild and infere something out of it.

Post Reply