CanvasBlocker icon indicating copy to clipboard operation
CanvasBlocker copied to clipboard

Published 20 hours ago verified publisher icon kkapsner

Question on fingerprint of the local file access API

Open User3409 opened this issue 2 years ago • 6 comments

Description

Fingerprint.com is doing something with the local file API. To me it seemed they would try and recurse through the (virtual) file space and create and delete directories in a sequence. It could measure for maximum length of file names and recursion depth, I am not sure, my browser knowledge is very limited. It seemed to recurse, however, and also perform some binary search on the length of the identifiers it is using.

Is it understood what they are doing? Should local file access API be protected as well?

User3409 avatar Mar 29 '23 16:03 User3409

I have not looked into this. But up to now Firefox does not support window.requestFileSystem which would be required to perform the fingerprinting. So nothing to do for CB here.

Were did you get this information?

kkapsner avatar Apr 07 '23 18:04 kkapsner

You might be correct, but I am not a webdeveloper and it is difficult for me to fully decipher their obfuscated code. It is using navigator.storage, getDirectoryHandle, move, removeEntry. There seems a preceding check that could indicate it is targeting webkit, maybe testing iOS vs macOS..? Testing locally in FF the code fails, but it does so for safari as well. I read that this API is only available in https context, which I also do not have available for local testing due to incompetence/missing web experience. This code is part of the stuff they use and that is not in the public github repository component.

User3409 avatar Apr 08 '23 18:04 User3409

OK - looking at these parts of the API I can imagine it retrieving not obvious information. Not yet quite sure if this is useful information. I would guess the entropy is not that high and will basically determine your operating system and browser. Which is information that is nearly impossible to hide (e.g. the little quirks and specialities in creating an SSL connection in the first place can give away your operating system).

So you "just" looked at the code they are using on their demo site?

kkapsner avatar Apr 08 '23 22:04 kkapsner

Yes I try to learn from the code. Some things they do seem quite offensive to me. I think there should be some place in github where their stuff is tracked. Regarding the OPFS, if the file system is fully virtualized, I assume one could just fingerprint some implementation properties. Should these files be mapped to actual files on disk (which I read they might be or not), maybe it could leak further data because of MAX_PATH, max directory depth or such, as these would depend on the physical path which could have a user specific prefix.

User3409 avatar Apr 09 '23 08:04 User3409

https://fingerprint.com/blog/incognito-mode-detection/ Here they write about using the file api to detect if a browser is in private mode

User3409 avatar Nov 29 '23 07:11 User3409

kkapsner, do you think navigator.storage.estimate() could be fingerprint-protected? it leaks hdd size for small sized systems/vms

User3409 avatar Dec 26 '23 19:12 User3409

Just for cross referencing: #681

kkapsner avatar Mar 29 '24 15:03 kkapsner

In MDN the API is marked as deprecated and I think it will not be implemented in Firefox. So nothing to do for CB.

kkapsner avatar Mar 29 '24 15:03 kkapsner