Two New Ways To Exploit A Fixed Browser Fingerprinting Flaw

[Music]

who has already discovered two bugs in the fingerprinting of web browsers and he will be discussing about the vulnerabilities that he has found and what are the fixes and what would the bypass that he found for those fixes as well so overdue you show me okay thank you so much okay so hi everyone good morning my name is Sally and Leo and I come from China today I'm happy to come here to to pea-sized so that I can share always see with some of my findings in information security okay so first of all this is a briefing to that on myself I'm an independent accountant I graduated from the University of North Carolina at Chapel Hill inside

University in United States I study mathematics as a communal science at the college and I'm grateful night by metal sound to Google browser for project and many more for the one who is that I've found in their products errors of the interests include Windows applications web browsers and I'm also like to to the source code source code auditing in C and C++ [Music] okay so here's the proof all now all my talk today first how I tell him what had a fingerprinting issues in web browser and then we'll focus on one specific fingerprinting usual which is called sniff the attack then I will talk about two purposes that are found in the use their patch and then takeaways by the

faculty I will share with you another one of the 80 in Marisa of the age which is Sevilla 2017 31 35 okay so first of all like to talk about what are the pros of fingerprinting usuals so the philippine initials refers to the flouncy in web browsers there are law websites to track users were allowed them to know some private information about users like browsing history this a wire single finger finding is privately family issues but well unfortunately many of the browser vendors they don't think fingerprinting issues are security usuals so they are not likely to fix them you know quick manner unlike unless you use tor browser which is designed to protect your privacy so

if you like privacy I encourage you to use photo browser a lot and some of the examples of fingerprinting issues in the past include I just had super cookie usual on the census of visited usual but today I was just talking about the sniffly attack the sniffing ooh attack was discovered by en route in 2015 this article uses artists ES and the swollen with erect and a Content security policy to attract users browsing history this one ability is assigned three year 2017 2016 16 30 okay so before it's how about sniffly that's clearly reveal what has done costea's honest current security policy so I trust yes is HTTP strict Transport Security it has a browser security feature that enables

that allows websites to enforce HD dvrs for all connections to their server so there will be no plant head HTTP connection to the to the domains that have enabled a chance to exit and this policy is delivered the you know actually even Hydra strict transfer of security you can see on the on the same line this is a I trust has Hydra stegasaurus ensue problem superior Transport Security Medicaid and next is a Content security policy an account security policy is another security feature in web browser even was designed to mitigate cross-site scripting attacks and the second line is also uh content security policy Hydra it's also actually be Hydra sent by the universal value' server to pull clients kind of security

policy so this means whenever even if there's a process scripting at monopoly on the webpage it's harder for the attackers to exploit it because you can only connect to the same domain which is the cell and then also the wwe.com so you can now to load scripts from other domains including the attackers to learn and more recently CSP is also used to deliver some other security features like operating in secure request but that's not quite related to the sniffly attack okay so next let's talk about how sniffly works so simply is actually quite simple because it's just an image tag this starts from an email type so life size so you can see that the URL

here you sang become it is you cannot check on orbit for a URL and see if the users within that but if you know the user mode outcome is either actual TI Stormin or is already raised from HTTP to actually the ass then you can use that your your image head and if the user has never visited this URL this is what happens so the first room the when the browser tries to pinch this URL the first request is HTTP example.com and since you this request is sent to the server and then the server replies also and really write to the browser which is location actually the ass and then the browser will select either ass request

to the server and you get back the web page but if you have with it hit this URL this is what will happen what happens is that the really right is how is also cashed in the browser so this first request is a in browser internal redirect and then a second request goes to the server and then you get back the direct wash now I see on our page it's usually cache because as I see as is as I just said is saved in the browser as you already run is usually comfortable so if we want to know if the user has visited this this URL what you can do is that if you long time how long

it takes for the really read will happen you can know if it's in browser redirect or as a network redirect okay but in order to do that is necessary to block the HTTP request to the server because usually when you have a really route the browser will automatically follow the redirect and then you can only turn the entire the entire time for the proposal requests but here we only need to type the first request which is the really read part so we we have to find a way to block this secondary pass which is the key for the sniffly attack so how does it work we content security policy to prop the hdvs so you can see here's a header image SRC

HDTV : w zombocom this means you can only load from HTTP use a modicum not actually the ice few example calm so in such all it is the type C has a rip has a way we brought and the yokai Cena shows that you the error you want which is fatal here we call how the CSV policy there will your everyone file here so you the error you want is fired within 10 milliseconds then we know is you can already right otherwise it's a network with your ugly which means that the URL has never been visited okay and then here's a cool snippet of the patch you can see that the change the the scheme

merged so you the scheme of the CSV is HTTP then in now merge both HTTP and HTTPS similarly for the web sock for the web socket rollover is also double as normal sports stars and double as X so now the same the same necessity hider now my suppose HTTP the example.com and hdvs example calm this means we can no longer exploit the sniffly attack because now you cannot use this Hydra to block the HTTP request okay so next how I buy parts of it I realized that the code only considers the protocol the protocol part not a port prod so let's consider this as you current security policy emergency so basically either the port number 80 to this URL and now the

question is does this one match I still guys : Devils are you so calm it turns out this CSV Maps as GDP was for the anything and I've seen eyes Westport 80 but it does not matter I've seen eyes with port 443 which is the port for ITV is this means we can use since can secure the policy to block our CVS request once other must we can do that we can exploit the sniffly again and this is just a very small channel and then it just works and I found that both Google Chrome and Firefox I wonder about Tuesday's back and I reported to both of the track both of the tickets up here and they also assigned to CVS for

each router and then the pool gave me $1,000 for the bounty and here's the patch for from mile high you can see here the if the port is 80 is no match for business way okay and not only the a change in the code the other change the recipe specification who mentioned the figs you can see that they have check that to remind people that had okay so did not face to the first bad pass and now I was I was wondering you know there is a cell in that house and it turns out yes so far we will use the content security policy to block the HTTP requests but are there any other ways to

achieve the same effect actually yes so we can just I just fun that we can use feature here to do that so what is fever yeah the future AP is a is a quite a new JavaScript if you are allowing you to retrieve a URL and the very cool thing about the future India is that it allows you to customize the to requires and one other feature is the really remove the really rack the mode three warriors follow arrow or manual the follower is the normal one which you catch the final response after following all the redirects but here what we need is the man you already read the manual ready read allows you to handle the

ready round manually which basically means you and cat I'll call and you can kind of combat whenever there is already rush happens which is exactly what we need for the sniff real-time Beyonce sigh we don't even need frog - DBS we can just get caught when the when the really rotten is received Fran this is a very similar see I started a really rad more to menu and then I can just go to the response if the response status is a sewer one little mini Caesar it's a really rapid response and that I can just stop the timer here you have the interval is less than 10 millisecond is waited and otherwise it is not that I

recorded this in philosophy and it interface it for a minute while this for two years finally I I recently phone is fixed silently you got 18 updated the Chicot watch why that is this no no CRS cannot use together with manually rate which means I can no longer handle the the ready route if it's across our regional pass which is basically what we try to be split in a sniffling tab okay and so this is a little ways from my main experience in in the to pack houses basically I just want to encourage you to reading reports on the red house and if we understand them and you implement your own PLC maybe even just find some

easy path from that okay now I would talk about another one ability to show that it's really useful to read other people's report and this is City Year 2070 201 35 this one I caught the inspiration from this paper abusing in tonight's for a quasi screwing infielder he also written written by this view and first of all the paper tells me how the process scrutiny field works so basically it the process scrutiny filters used to mitigate reflected crosses process scripting attack its checks you funny URL parameter seems to be a cross I screwed in payload so for example for you love this URL the ID the ID parameter is a script that had so you

know I explore things this can be potentially a cross-site scripting hello I thought you've check see if the index here out there is a same string if they're also same screen they'll change the script the script attire so I see Hodge IPT basically this chrome is just disabled but what if is not a reflecting that course excluding advisor is an actual jazz called Linda Linda HTML source so for example you for this page use AMA communist stuff USB what if this page tries to know their jQuery thought yes that's how I gave you this URL I'll kinda screw up the tag through the URL and now what happens is that the browser thinks this is of course excluding

attack because this this substituent is also contained in the HTML file so the Filner gens the script - I see hash a video wise out then so the trigger just won't blow the notice that had a pretty early part this thing is pretty harmless because they just think it's just I see if trickery radhaji has doesn't exist because it's kind of one another other some other reasons like the network usually water at essaouira usual hill us return this form for like that when I found is that really harness it has unknown because I can abuse the process screening further to this neighbors ESP the search via as I just said since we community where the

yeshiva Hydra but it can also be a TD or a young man that had this is a merit how to cite on the content security policy know what I what I'm doing here is that iodine disease huh this whole tied to a URL as I just said for the jQuery example they also sing this melody is a quarter screwed not high because it isn't reflected in the HTML and what what they are doing is that the change of the mailer tied to a magical bait which means this tag is disabled so I created a very symbol another way of similar you will see I just had a magnet head in the pattern and then here's a script alert if them

you this kind of security policies in false there should be no alert because because all that this is a unite script and it only allows self script but if the current security policy is disabled by the filter this alert will show up and it turns out if I waited this URL now this is what happens this is a pop-up shown by the mouth of the edge which means we got a new one ability to the exciting please aim and I reported it to max out on this summer 2016 is face the March 2017 and pontius 1500 effort a recently removed remove the process screen filter entirely from nerves all age yeah 2018 because no other types of

allies there are many others like to abuse the Heartless green filter and it also incurs performance provenance cost so they just decided to remove that okay and the hard references from I talk and okay so you just one question how much time does it take you to find out these how much work do you uh last time I uh I read the report the first thing I can say is support either a portal to a URL and is just the worst actually it's very surprising to me so like I'm our basically that as far as in another lesson love to find a second bylaws and similarly for the process screen filled up it's also about one or

two hours I think yeah if you only research for one or two hours but you probably what are you doing on your daily basis there alright anyways it [Music] I realize why I really pose a the poster bada like the Windows internals and then we really report an alpha program a lot and I contributed to how many birds did find her mom not many like towards me there are a lot of private pilot programs that you like me to go find like that so like you spend your time like really a lot yeah really report on that's where I spokes okay yeah not just a report much so these bugs were from 2016 yeah what do you looking into that oh I

don't mean to an IRS like I also study the web browser recently on that I also found some like there are two one of these that I've found and found all fakes yet you know you google chrome so something like that recently this out of the past about the house found something you in 2018-19 pub it's just nothing in today's talk yeah you had a chance and you think how does my auntie in China generally work do you work at all or do you also like to do nothing I basically work at all I just work at home Disneyland that there was a community in China in about 2013 tour 2015 there was community you called a woman but they

almost shut down by the dominant so other that other that there were there are no communities that I know why products bit we don't have any more questions on the recording then thank you very much for you