Javascript Template Attack

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
fatboy
Astronaut
Astronaut
Posts: 556
Joined: 2017-12-19, 08:03
Location: Canada

Javascript Template Attack

Unread post by fatboy » 2019-06-14, 09:17

Good Day Community,

I just stumbled upon this article about how JS is used to aid in fingerprinting, and was wondering how you rate the issue in terms of seriousness. Also, is Palemoon more resistant to these attacks than other browsers? Is this attack something to be concerned about?

https://www.zdnet.com/article/javascrip ... g-vectors/

Kind Regards,
fatboy
Systemd Free - MX Linux, Antix Linux & Artix Linux

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-14, 11:18

Pale Moon is about as susceptible to this as any other browser, for the simple fact that it abuses a widely-used ES6 feature (reflections) to collect properties. Because reflections are widely used, there is also no easy way to mitigate this, considering it is specced and desired behavior.

The upside is that compared to Firefox, there's a lot less to gather from our prototype chains so it falls into a position similar to Chrome that exposes fewer properties than Firefox.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Pelican
Fanatic
Fanatic
Posts: 220
Joined: 2018-02-23, 06:51

Re: Javascript Template Attack

Unread post by Pelican » 2019-06-14, 15:09

The research team said tests showed their method was able to distinguish between all 40 tested environments; distinguish browser down to exact version; determine installed extensions based on how they modified native property values; determine even individual extension settings; determine extremely technical details such as the CPU vendor, actual operating system (not the one declared by user agents, which can be faked); determine the presence of a browser private mode; and even if the browser was running from within a virtual machine.
I doubt if all this can be done with JavaScript and if so, then what happened because it was not like this before. Or are they targeting mobile phones only (amusement devices)?

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: Javascript Template Attack

Unread post by vannilla » 2019-06-14, 15:20

WilliamK wrote:
2019-06-14, 15:09
I doubt if all this can be done with JavaScript and if so, then what happened because it was not like this before. Or are they targeting mobile phones only (amusement devices)?
I've read part of the white paper: they use reflection to collect the values contained in various javascript objects, either built-in (e.g. window) or user-created.
There's then a part of "pruning" which removes duplicates and some data considered not important; then they analisys from what they gathered, but I didn't read in detail.
As Moonchild says, it's simply using a feature defined by the standard, and how much data is collected depends on how much data the browser exposes, with a minimum amount as defined by the standard itself (i.e. some properties are always exposed and available to be collected if an implementation wants to be standard-compliant.)
Some browsers exposes more data for one reason or another.
Also, with this it's possible to recognize if some "anti-fingerprinting" measure was taken to some extent, as by comparing the already-collected data with data collected during a fingerprint analisys can show which properties have been tampered with, especially if the tampered value is strange (e.g. because it was randomized.)

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: Javascript Template Attack

Unread post by therube » 2019-06-14, 15:35

(My earlier post was serious, btw. Guess I should have included the ;-).)

Anyhow...

Why such the large discrepancies between the Documented & Undocumented Properties?

And I take it that these "properties" are individual points of data that can be queried & values reported back.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-14, 15:47

Ultimately this is no different than what has been done on purpose by websites for a long time already, by e.g. examining different properties of the navigator object to do browser detection. The only difference is that with reflection, it becomes easier to enumerate all properties, including those you didn't know existed before. Even without reflection, you could still gather this data if you use an extensive lookup table, so there really is no way to mitigate this, aside from trying to "hammer shut" all environmental properties that could possibly contain data that can be used for fingerprinting, but that really is a prayer without end. Many of these properties are also required for content-interactive code to function.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Sampei Nihira

Re: Javascript Template Attack

Unread post by Sampei Nihira » 2019-06-14, 16:26

It seems to be based on this old work:

https://github.com/Jumabek/jstemplate

For a good defense, Noscript or eMatrix is sufficient.

User avatar
Utnapishtim
Fanatic
Fanatic
Posts: 141
Joined: 2018-07-12, 02:42
Location: Win7

Re: Javascript Template Attack

Unread post by Utnapishtim » 2019-06-14, 20:09

Sampei Nihira wrote:
2019-06-14, 16:26
For a good defense, Noscript or eMatrix is sufficient.
QFT. Even if you don't block 1st party scripts by default, it's good sense to block scripts and CSS from analytics domains. Simply nothing good ever comes from those places.

John connor

Re: Javascript Template Attack

Unread post by John connor » 2019-06-15, 07:01

Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-15, 10:52

F22 Simpilot wrote:
2019-06-15, 07:01
Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
Yes, it can. Presenting different properties to page content is always possible with a proper extension.
But what are you going to target? It's probably simpler just to maintain a blocklist of bad actors and use your favorite adblocker/scriptblocker to block the sources instead of trying to keep up with the intricacies of what properties to poison.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Sampei Nihira

Re: Javascript Template Attack

Unread post by Sampei Nihira » 2019-06-15, 13:43

Even with uBlock Origin, obviously as for other extensions not set to default, it is possible to obtain excellent protection.
Anyone can check whether to use the Medium Blocking Mode:

https://github.com/gorhill/uBlock/wiki/ ... edium-mode

or the Hard Blocking Mode:

https://github.com/gorhill/uBlock/wiki/ ... -hard-mode

John connor

Re: Javascript Template Attack

Unread post by John connor » 2019-06-15, 16:28

Moonchild wrote:
2019-06-15, 10:52
F22 Simpilot wrote:
2019-06-15, 07:01
Can an add-on be created to poison what the website's pull using this reflection crap? Like make it look like you're using some other type of system, etc?
Yes, it can. Presenting different properties to page content is always possible with a proper extension.
But what are you going to target? It's probably simpler just to maintain a blocklist of bad actors and use your favorite adblocker/scriptblocker to block the sources instead of trying to keep up with the intricacies of what properties to poison.
So I guess I don't understand what the code does. Can't you just poison everything so that no matter what site you come across they get mixed results? There by eliminating the need to use a list of bad actors.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Javascript Template Attack

Unread post by Moonchild » 2019-06-15, 16:39

F22 Simpilot wrote:
2019-06-15, 16:28
Can't you just poison everything so that no matter what site you come across
You can, ... and then you will completely break every framework, script and web application in existence. :)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: Javascript Template Attack

Unread post by vannilla » 2019-06-15, 21:40

F22 Simpilot wrote:
2019-06-15, 16:28
So I guess I don't understand what the code does. Can't you just poison everything so that no matter what site you come across they get mixed results? There by eliminating the need to use a list of bad actors.
This kind of work is able to recognize wether you are using anti-fingerprinting measures and fingerprint you.
This is because poisoning give unrealistic results when certain properties are analyzed, at least compared to data collected from "untampered" browsers.
Also what Moonchild said.

Pelican
Fanatic
Fanatic
Posts: 220
Joined: 2018-02-23, 06:51

Re: Javascript Template Attack

Unread post by Pelican » 2019-06-16, 00:56

I m a little thick this morning and would appreciate someone spelling out just what the problem is. Ok, so some browser properties are available. Well that is no biggy as the web depends on a modicum of browser info to better serve different visitors.

I recall mention of ALL browsers but wonder which provide more info than others and whether the bulk of its success is mainly with amusement devices like mobile phones. I can imagine Chrome providing more info because that is something that Google would want in their browser to enhance ad profiling. But is it really a problem with Pale Moon?

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: Javascript Template Attack

Unread post by vannilla » 2019-06-16, 01:04

The deal is that the process is automated, so instead of analyzing only a selected hand-picked properties (taken either from the standard or from experimenting), you can dump all you can get from the browser somewhere and process it, including "hidden" properties and other similar stuff.
The "template" in the name is because attackers can build a "template" out of clean profiles of browsers in a relatively short time, then they compare the template with data they gathered in the wild and infere something out of it.

Locked