Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about lies #147

Closed
z0ccc opened this issue Aug 31, 2021 · 4 comments
Closed

Question about lies #147

z0ccc opened this issue Aug 31, 2021 · 4 comments
Labels
question Further information is requested

Comments

@z0ccc
Copy link

z0ccc commented Aug 31, 2021

Hi,
What is meant by:

  • failed undefined properties
  • does not match worker scope

How does tampering with objects cause these detections?

Thanks
@abrahamjuliot
Copy link
Owner

These are great questions.

For example, navigator.hardwareConcurrency:

failed undefined properties

How is still a mystery to me, but both novice and advanced object tampering techniques leak subtle differences from the object's native behavior.

// This returns undefined in native engines
Object.getOwnPropertyDescriptor(navigator, 'hardwareConcurrency')
// => undefined

// Let's tamper with the value using a basic method
Object.defineProperty(navigator, 'hardwareConcurrency', { value: 2 })

// Now this returns the descriptor object
Object.getOwnPropertyDescriptor(navigator, 'hardwareConcurrency')
// => {value: 2, writable: false, enumerable: false, configurable: false}

does not match worker scope

Workers have their own scope separate from the window scope, so tampering with an object in one scope does not affect the other scope. Above, we changed navigator.hardwareConcurrency so it now returns 2, and if we now call navigator.hardwareConcurrency in the worker scope, it will return the real value.

Not all objects in the window are available to workers, and support varies per engine:

https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope

@abrahamjuliot abrahamjuliot added the question Further information is requested label Aug 31, 2021
@z0ccc
Copy link
Author

z0ccc commented Aug 31, 2021

Very interesting. Thanks for the reply.

@z0ccc z0ccc closed this as completed Aug 31, 2021
@z0ccc
Copy link
Author

z0ccc commented Aug 31, 2021

Hi,
I got around 'failed undefined properties' by doing this:

Object.defineProperty(Object.getPrototypeOf(navigator), 'hardwareConcurrency', { value: 2 })

But instead of the 'failed undefined properties' I now get 'failed descriptor.value undefined'. What's the difference between these two lies?

Thanks

@z0ccc z0ccc reopened this Aug 31, 2021
@abrahamjuliot
Copy link
Owner

abrahamjuliot commented Sep 1, 2021
edited
Loading

  • "failed undefined properties" detects the added descriptor object
  • "failed descriptor.value undefined" detects the added value property to the descriptor
// Native return undefined
Object.getOwnPropertyDescriptor(Navigator.prototype, 'hardwareConcurrency').value

// tamper
Object.defineProperty(Object.getPrototypeOf(navigator), 'hardwareConcurrency', { value: 2 })

// Now we get 2
Object.getOwnPropertyDescriptor(Navigator.prototype, 'hardwareConcurrency').value

This will bypass both tests. Idea from: https://github.com/duckduckgo/duckduckgo-privacy-extension/blob/ec09b691eee1945ee80fedac5f7f8b1cf9527008/shared/js/content-scope/utils.js#L92

Object.defineProperty(
    Object.getPrototypeOf(navigator),
    'hardwareConcurrency', {
        get: (function hardwareConcurrency() { return 2 }).bind(null)
    }
)

But, then that creates a new set of leaks. For example:

// this should return an error and not "Number"
Navigator.prototype.hardwareConcurrency.constructor.name

There's a few interesting articles highlighting some of these leaks and potential solutions, but I'm pretty sure the only way to 100% bypass leaks is to change functions at engine level.

Repository owner locked and limited conversation to collaborators Sep 11, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abrahamjuliot @z0ccc