-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[hackerone] performance.now and other timing APIs are fingerprinting vectors #24681
Comments
cc: @diracdeltas @pes10k |
What I have learned so far:
in which case the timing values are clamped to 5-us resolution. These two resolutions are specified in Chrome by two constants:
(These constants are used in only two places in the source code currently.) |
The plan is:
|
|
I'll create a test for this one. Should be done in an hour or so |
Removed the Going to add the |
cc: @arthuredelstein Verified the issue in Verified the test instructions from https://dev-pages.brave.software/dom-properties/performance.html
I am not getting the mix of integers and float values when shields are down |
Verification
Steps:
Case 1: Enable
|
step 2 | step 5 | result |
---|---|---|
Case 2: Disable #brave-round-time-stamps
feature flag
- open
brave://flags
- set to
Disabled
for#brave-round-time-stamps
- click Relaunch Brave
- visit https://dev-pages.bravesoftware.com/dom-properties/performance.html in a new-tab
- toggle
Off
Shields
- click
Run test
button
Confirmed integers & float values returned as expected since the flag is disabled
step 2 | step 5 | result | result |
---|---|---|---|
*Note: The wording on the buttons show Test failed
is incorrect. Should have been Test Succeeded
. Confirmed with @arthuredelstein and above tests are correct.
https://bravesoftware.slack.com/archives/C7VLGSR55/p1671119340076209?thread_ts=1671036126.362999&cid=C7VLGSR55
Verified
|
Brave | 1.47.135 Chromium: 108.0.5359.128 (Official Build) beta (x86_64) |
---|---|
Revision | 1cd27afdb8e5d057070c0961e04c490d2aca1aa0-refs/branch-heads/5359@{#1185} |
OS | macOS Version 11.7.2 (Build 20G1020) |
Case 1: Enable #brave-round-time-stamps
feature flag
- installed
1.47.135
- opened
brave://flags
- set
Enabled
for#brave-round-time-stamps
- clicked
Relaunch
button - loaded
https://dev-pages.bravesoftware.com/dom-properties/performance.html
in a new tab - toggled Shields
Off
- clicked
Run test
button
Confirmed all integers returned were rounded
brave://flags |
Test succeeded |
---|---|
Case 2: Disable #brave-round-time-stamps
feature flags
- installed
1.47.135
- opened
brave://flags
- set
Disabled
for#brave-round-time-stamps
- clicked on
Relaunch
- loaded
https://dev-pages.bravesoftware.com/dom-properties/performance.html
in a new tab - toggled Shields to
Off
- clicked
Run test
button
Confirmed integers & float values returned as expected since the flag is disabled
brave://flags |
Output - "Test failed" |
---|---|
*Note: The wording on the buttons show Test failed is incorrect. Should have been Test Succeeded. Confirmed with @arthuredelstein and above tests are correct.
https://bravesoftware.slack.com/archives/C7VLGSR55/p1671119340076209?thread_ts=1671036126.362999&cid=C7VLGSR55
Verified on
Case: Flag enabled
Case: Flag disabled
|
I just want to note that I get the exact same values as the fingerprint results above:
Is this actually a useful fingerprinting technique if the values are the same across machines? |
I believe you're getting the same values because of the changes in this PR. Or are you testing in different browsers? Am i misunderstanding? |
If you restart your machine or device, it should change. |
Description
From joe12387:
Steps to Reproduce
See https://github.com/Joe12387/OP-Fingerprinting-Script/blob/b4b196f5a6196bacf2dc041b064f877dafafface/opfs.js#L443
See also: #2952
The text was updated successfully, but these errors were encountered: