Batu69 Posted August 30, 2017 Share Posted August 30, 2017 All modern web browsers leak extension information to sites if the sites run scripts to pull the information. We talked about the findings of a research term that published its findings recently in a paper. Unless scripts are blocked, sites may run scripts that check the response time of the browser as it is different when checks are made for fake extensions and fake resources, and existing extensions and fake resources. Firefox's situation is special, as it supports the legacy add-on system and the new WebExtensions system. The researcher tested the browser's legacy add-on system only, but suggested that Firefox's new system would also be vulnerable. An anonymous reader pointed out that Firefox's WebExtensions system uses random IDs, and that this meant that the method to enumerate extensions would not work in that case (unlike in Chrome and other Chromium based browsers). While that is correct, Mozilla's implementation introduces a new issue that allows sites to identify users if WebExtensions expose content to sites as the random IDs are permanent. "... in particular, they [Mozilla] changed the initial scheme (moz-extension://[extID]/[path]) to moz-extension://[random-UUID]/[path]. Unfortunately, while this change makes indeed more difficult to enumerate user extensions, it introduces a far more dangerous problem. In fact, the random-UUID token can now be used to precisely fingerprint users if it is leaked by an extensions. A website can retrieve this UUID and use it to uniquely identify the user, as once it is generated the random ID never changes. We reported this design-related bug to Firefox developers as well." If a site manages to get hold of the ID, it may track the Firefox installation as that ID never changes. This is not just theoretical either; Earthling, one of the maintainers of the Ghacks Firefox user.js file, has created a proof of concept that highlights a leak in Firefox's native Screenshot tool. While this particular example requires that users click on the screenshot button in the Firefox interface to make the unique ID available to the site, other extensions may expose content without user interaction. Apple's Safari uses a random UUID system as well, and the researchers discovered that they could enumerate about 40% of all extensions as its implementation is flawed. If the WebExtension exposes content to sites because they have implementation flaws, sites may fingerprint users based on the unique ID that gets exposed in the process. Closing Words Mozilla needs to rework the implementation to protect users of the browser from this. Even if you don't use WebExtensions at all, you may be vulnerable to this as Firefox ships with several system add-ons that may expose the ID to sites. (Thanks Pants and Earthling) Article source Link to comment Share on other sites More sharing options...
snf Posted August 30, 2017 Share Posted August 30, 2017 It seems more and more. It will have to abandoned : Firefox. Link to comment Share on other sites More sharing options...
Phantomboxe Posted August 30, 2017 Share Posted August 30, 2017 1 hour ago, snf said: It seems more and more. It will have to abandoned : Firefox. just Dump Firefox to Recycle Bin along with George Soros, download Pale Moon browser instead. Link to comment Share on other sites More sharing options...
IronY-Man Posted August 30, 2017 Share Posted August 30, 2017 these days Im trying more and more firefox forks (pre-e10 fiasco) versions and those who have decided to move on their own from v53.....& so far I've tried Waterfox (not so good after v53) and now on Cyberfox v53(ESR forks) ...and its more promising than others !! Will get to Palemoon soon and then compare'em all !! Link to comment Share on other sites More sharing options...
snf Posted August 30, 2017 Share Posted August 30, 2017 7 minutes ago, IronY-Man said: these days Im trying more and more firefox forks (pre-e10 fiasco) versions and those who have decided to move on their own from v53.....& so far I've tried Waterfox (not so good after v53) and now on Cyberfox v53(ESR forks) ...and its more promising than others !! Will get to Palemoon soon and then compare'em all !! At the end .Don't forget ; wich one is the better fo you ! Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted August 30, 2017 Share Posted August 30, 2017 firefox what the hell are u doing they must fix all the bad things they are doing i feel i was right to say maybe have to stop useing firefox Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted August 30, 2017 Share Posted August 30, 2017 8 hours ago, 0bin said: knowledge try the esr as steven36 suggested me, then maybe we will switch to something else, look for firefox folder, open it, there is a exe for telemetry called pingsender.exe maybe i just do not like how firefox team are thinking they going to f*** a good browser and for what ? Link to comment Share on other sites More sharing options...
dcs18 Posted August 30, 2017 Share Posted August 30, 2017 Have shifted all my client machines to the Nightly, V56. Link to comment Share on other sites More sharing options...
steven36 Posted August 30, 2017 Share Posted August 30, 2017 More info on this . https://github.com/ghacksuserjs/ghacks-user.js/issues/191 Even if you Use waterfox you need the No Resource URI Leak (clone) https://raw.githubusercontent.com/earthlng/testpages/master/no_resource_uri_leak-1.1.1-an%2Bfx%2Bsm%2Btb.xpi Because of this https://browserleaks.com/firefox Palemoon really never leaks though it only gives out Default Locale and that's all . They said they was going fix this in v56 https://groups.google.com/d/msg/mozilla.dev.platform/00-1tT15mX0/TzUrOD93AAAJ you can test nightly at browser leaks at the link i gave above too see if it still leaks. Link to comment Share on other sites More sharing options...
steven36 Posted August 30, 2017 Share Posted August 30, 2017 3 hours ago, IronY-Man said: Cyberfox v53(ESR forks) Not no different than using Firefox v53 ESR you still need No Resource URI Leak from AMO or it leaks . Cyberfox is full of bugs i tested it again not long ago and uninstalled it because of bugs . It has bugs in it Cyberfox has and it has bugs that are in Firefox Id much rather just use Firefox ESR and deal with one set of bugs.. i use Waterfox on Linux with No Resource URI Leak (clone) because it lets me use legacy addons and because there is no ppa or debs for ESR like they are for Waterfox . But there is no benefit from using Cyberfox it just causes me too have more bugs so on Windows I just use Firefox ESR and Palemoon ... Link to comment Share on other sites More sharing options...
IronY-Man Posted August 30, 2017 Share Posted August 30, 2017 3 hours ago, steven36 said: Not no different than using Firefox v53 ESR you still need No Resource URI Leak from AMO or it leaks . Cyberfox is full of bugs i tested it again not long ago and uninstalled it because of bugs . It has bugs in it Cyberfox has and it has bugs that are in Firefox Id much rather just use Firefox ESR and deal with one set of bugs.. i use Waterfox on Linux with No Resource URI Leak (clone) because it lets me use legacy addons and because there is no ppa or debs for ESR like they are for Waterfox . But there is no benefit from using Cyberfox it just causes me too have more bugs so on Windows I just use Firefox ESR and Palemoon ... Thanks for No Resource URI Leak from AMO... @steven36, I've had read about it and then it slipped my mind....but as far as cyberfox bugs goes; Ive havent encountered much on this version and I was using ESR before this and Waterfox(and does it still allows legacy ones after v53 ? asking cos FF def. dropped the ball on most of them!! ) before that...& Ive had same problems on both with my addon set but not with Cyberfox....its most stable than both of those for now.....& you're already on palemoon...& does all legacy ones runs smooth on it ?? Link to comment Share on other sites More sharing options...
steven36 Posted August 30, 2017 Share Posted August 30, 2017 14 minutes ago, IronY-Man said: Thanks for No Resource URI Leak from AMO... @steven36, I've had read about it and then it slipped my mind....but as far as cyberfox bugs goes; Ive havent encountered much on this version and I was using ESR before this and Waterfox(and does it still allows legacy ones after v53 ? asking cos FF def. dropped the ball on most of them!! ) before that...& Ive had same problems on both with my addon set but not with Cyberfox....its most stable than both of those for now.....& you're already on palemoon...& does all legacy ones runs smooth on it ?? Palemoon sort has its own addons page now but some of the legacy ones still work for it from firefox and waterfox still most legacy addons and unsigned addons work fine for it. the guy from waterfox plans too start hosting legacy addons as well .Before long i doubt you will be able too get them at amo anymore . Cyberfox is dead in the water in 2018 anyway. Link to comment Share on other sites More sharing options...
Undertaker Posted August 31, 2017 Share Posted August 31, 2017 Although this problem is not limited to the screenshots extension only but it's good to disable it. Also, the Resource URI leak has been fixed in latest Nightly build : https://www.reddit.com/r/firefox/comments/6wud0j/benign_resource_uri_leak_fixed_in_nightly/ Somebody even posted a proof on wilders: https://www.wilderssecurity.com/threads/firefox-57-an-overview-of-whats-new-with-resources.396305/page-3#post-2702939 Link to comment Share on other sites More sharing options...
Vakdan Posted August 31, 2017 Share Posted August 31, 2017 4 hours ago, Undertaker said: Although this problem is not limited to the screenshots extension only but it's good to disable it. If I just remove the screenshot icon isn't enough? Link to comment Share on other sites More sharing options...
Undertaker Posted August 31, 2017 Share Posted August 31, 2017 1 hour ago, vlefteriss said: If I just remove the screenshot icon isn't enough? Yeah that won't be enough, you will have to dig in the about:config preferences, find entries for screenshots extension and disable it from there. Link to comment Share on other sites More sharing options...
dcs18 Posted August 31, 2017 Share Posted August 31, 2017 1 hour ago, vlefteriss said: 5 hours ago, Undertaker said: Although this problem is not limited to the screenshots extension only but it's good to disable it. If I just remove the screenshot icon isn't enough? Anyways, the Firefox screenshot tool is inadequate — it's better to disable it completely (as follows) and use a full-fledged, standalone screenshot tool, instead:— ("extensions.screenshots.disabled", true); ("extensions.screenshots.system-disabled", true); Link to comment Share on other sites More sharing options...
Phantomboxe Posted September 1, 2017 Share Posted September 1, 2017 Mozilla to test opt-out telemetry collection in Firefox Link to comment Share on other sites More sharing options...
steven36 Posted September 2, 2017 Share Posted September 2, 2017 On 8/31/2017 at 9:10 PM, Phantomboxe said: Mozilla to test opt-out telemetry collection in Firefox I 1st read about this here https://www.reddit.com/r/privacy/comments/6vb44j/firefox_considering_anonymously_collecting/ Witch it want never effect me on Linux i just use a fork of Firefox and once 52 ESR is over i plain too just use a fork again on windows like i use too back some years ago. Link to comment Share on other sites More sharing options...
snf Posted September 3, 2017 Share Posted September 3, 2017 16 hours ago, steven36 said: Witch it want never effect me on Linux i just use a fork of Firefox and once 52 ESR is over i plain too just use a fork again on windows like i use too back some years ago. I folow you advice. I do this ; change firefox 55 for 52ESR for windows It's easy 2 min. Keep old profil 55 ; and add in instal directory of 52 ESR Now i'm sheltered from this track ? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.