Re: Potential high entropy fingerprint issue

[Mike West]

Hi Filip,

It seems to me that you'll have an easier time hooking into scripts' collection of potentially identifying information than into assignment to some specific object. If you want to send me more information about the script you're looking at, I'd be interested in looking at it with you.

That said, watching a value in devtools is possible (https://developer.chrome.com/docs/devtools/javascript/reference/#watch), as is breaking on specific lines of code (https://developer.chrome.com/docs/devtools/javascript/breakpoints/). If you know where the assignments are happening in the script, those might be effective debugging mechanisms.

-mike

On Sun, Nov 6, 2022 at 2:44 PM Filip Petronijevic <fpetronij...@raf.rs> wrote:

Hello, during my academic research I came accros one website which has very disturbing levels of fingerprinting. How? It manages to detect that I come from same device despite me hooking, randomizing and changing more then 850 >0.0 entropy values. Including using VPN connection or proxies. I found the script that is responsible for that but the issue is that its heavily heavily obfuscated. I believe this vendor is abusing some zero day in Chromium to access some extremely high entropy values and I want to find out what this is and report it. The only thing I know about this script is that they save their collector variables inside object that has key "sigs". They append 124 attributes to this key which are objects representing some values. I was wondering is it possible somewhere in v8 to hook object creation and sniff for all objects that get added to this key value and dump them somewhere? In theory it sounds very possible, but in practice could it be done? Pseudo code of them doing this fingerprinting is something like this.

obj1 = {}
obj1['sigs  '] = [1,2,3]   //some important values

var obj2 = {}
obj2['sigs  '] = [14,23,322222]   //some important values

var obj3 = {}
obj3['sigs  '] = [1,2,3,5,3,32,2,1,32]   //some important values

[Mike West]

mk...@google.com and mk...@chromium.org both get to me. We can move the conversation to a security/privacy bug against Chromium if there's need.

-mike

On Mon, Nov 7, 2022 at 9:48 AM Filip Petronijevic <fpetronij...@raf.rs> wrote:

I am aware of all possible methods of debugging in Javascript land and in devtools. The issue as I mentioned is that script is heavily obfuscated and you can't really put breakpoint anywhere as it's really advance obfuscation. From deobfuscating it to some extend and statically reading very messy code for days I found out they place all these things into 'sigs' key in some random objects. Only way I see finding out what these objects have is hooking into V8 directly and reading in runtime. 

I'm afraid to publicly post script here as there might be some malicious actors that could abuse it once they find out what they collect and if something really turns out to be zero-dayish oriented. Is there any way I could contact you via e-mail or some other place?