Cross-tab identity leak protection

General discussion about the NoScript extension for Firefox
Post Reply
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Cross-tab identity leak protection

Post by barbaz »

What does this new feature do?

Looking at the code, I see it's something about stripping cookies and HTTP authorization headers (like a partial ABE Anonymize), but I wasn't able to figure out under what circumstances it would do that and what type of security threat it's intended to protect against?
*Always* check the changelogs BEFORE updating that important software!
User avatar
Giorgio Maone
Site Admin
Posts: 9372
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Cross-tab identity leak protection

Post by Giorgio Maone »

The attack involves opening another tab or window pointing to a resource which is account-specific (e.g. a private Youtube video shared to the victim user) and measuring the observable effects on CPU cache to tell if it has been successfully rendered, therefore precisely identifying the target.

More details here and in this presentation due tomorrow.
User avatar
Giorgio Maone
Site Admin
Posts: 9372
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Cross-tab identity leak protection

Post by Giorgio Maone »

Also, this received some press attention a few weeks ago, and I did pledge to do something about it even before joining the Tor Browser team (serendipity? :) ).
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Re: Cross-tab identity leak protection

Post by barbaz »

Thanks Giorgio, the Github link you tweeted there answers my question about what threat this is protecting against.

But it seems to be talking about timing the loading of embedded resources, so I'm still not sure what cross-tab has to do with it?

I guess what I'm still asking is: If I enable this feature, under what circumstances will NoScript anonymize a request?
*Always* check the changelogs BEFORE updating that important software!
User avatar
Giorgio Maone
Site Admin
Posts: 9372
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Cross-tab identity leak protection

Post by Giorgio Maone »

This is an extension of the embedded resource attack: since it doesn't work anymore on Firefox / Tor Browser because they now automatically drop credentials from cross-site embeddings ("total cookie protection"), this new attack leverage spawned windows and tabs not being protected the same way, and use one tab/window for observing the CPU Cache while the other tab/window renders the shared resource page.
Therefore any tab pair which is in a opener-opened relationship (no matter the direction) is a potential vector, as long as the two tabs are from different domains.
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Re: Cross-tab identity leak protection

Post by barbaz »

Giorgio Maone wrote: Wed Aug 10, 2022 5:17 pm any tab pair which is in a opener-opened relationship (no matter the direction) is a potential vector, as long as the two tabs are from different domains.
So the following steps are not intended to trigger this protection?

Firefox 103.0.2
NoScript 11.4.8rc2
new profile

1) about:preferences, check "When you open a link, image or media in a new tab, switch to it immediately"

2) NoScript Options > Advanced, set Cross-tab identity leak protection "Enabled everywhere"

3) in Per-site Permissions, set flathub.org to Trusted

4) go to https://flathub.org/home

5) middle click any individual app's listing
*Always* check the changelogs BEFORE updating that important software!
User avatar
Giorgio Maone
Site Admin
Posts: 9372
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Cross-tab identity leak protection

Post by Giorgio Maone »

barbaz wrote: Wed Aug 10, 2022 6:23 pm So the following steps are not intended to trigger this protection?

Firefox 103.0.2
NoScript 11.4.8rc2
new profile

1) about:preferences, check "When you open a link, image or media in a new tab, switch to it immediately"

2) NoScript Options > Advanced, set Cross-tab identity leak protection "Enabled everywhere"

3) in Per-site Permissions, set flathub.org to Trusted

4) go to https://flathub.org/home

5) middle click any individual app's listing
Bug indeed, fixed in latest development build, thanks.

Code: Select all

v 11.4.8rc3
============================================================
x [TabGuard] Improved specificity + some bug fixes (thanks
  barbaz and fatboy)
x [TabGuard] Move "forget" button in its own line
x [L10n] Updated de, nl, ru, sq
x [l10n] Automatic pull for 100% completed translations only
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Re: Cross-tab identity leak protection

Post by barbaz »

Thank you, it's much more usable now :)

One more question: If I test this protection with a cross-site link to this forum while I'm logged in here, and select "Load anonymously", I'm completely logged out of the forum. Is total logout an intended part of the defense? (As opposed to e.g. performing the anonymous load in a new, temporary, NoScript-created Firefox container to prevent logout in the "legitimate" tab, if such is technically possible in WebExtensions.)
*Always* check the changelogs BEFORE updating that important software!
User avatar
Giorgio Maone
Site Admin
Posts: 9372
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Cross-tab identity leak protection

Post by Giorgio Maone »

That depends on the website. If they automatically assign an anonymous session id (like it happens here), it overrides the one you had and you're automatically logged out for good.
Anyway I'll investigate using containers to mitigate this side effect, thanks.
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Re: Cross-tab identity leak protection

Post by barbaz »

Giorgio Maone wrote: Thu Aug 11, 2022 4:59 am I'll investigate using containers to mitigate this side effect, thanks.
Cool!

If using Containers could work without weakening the defense, please make sure the solution does *not* use "management" permission. That one to me is the scariest permission any WebExtension could have, to the point I don't use any Containers related extensions entirely because they've all added "management" permission (which, AFAICT from code inspection, is unrelated to and unnecessary for their basic functionality).

Since I find it so scary even while having technical understanding of WebExtensions, and seeing how NoScript users reacted to the relatively harmless "downloads" permission, asking for "management" permission...err...won't end well, to say the least.

Hope this isn't a show stopper on the Containers idea, I'm not sure why "management" permission creeps into Containers related extensions but if NoScript can make good use of Containers without it, looking forward to it! :)
*Always* check the changelogs BEFORE updating that important software!
aaronkollasch
Posts: 1
Joined: Thu Aug 11, 2022 10:58 pm

Re: Cross-tab identity leak protection

Post by aaronkollasch »

barbaz wrote: Thu Aug 11, 2022 6:43 pm If using Containers could work without weakening the defense, please make sure the solution does *not* use "management" permission. That one to me is the scariest permission any WebExtension could have, to the point I don't use any Containers related extensions entirely because they've all added "management" permission (which, AFAICT from code inspection, is unrelated to and unnecessary for their basic functionality).
I've been developing and using a PR for NoScript with separate policies for each container without requesting the "management" permission. It seems the contextualIdentities API only requires the "cookies" permission in addition to "contextualIdentities". In fact, I've been able to use the get() and query() portions of the API without requesting "cookies" permission, though perhaps "cookies" is required for creating or modifying containers. I don't see any indication that "management" is required for basic functionality.

More of a minor annoyance is that the "contextualIdentities" permission cannot be made optional, so it automatically enables containers unless you change a setting in about:config (privacy.userContext.enabled=false).

I'll have to look more into the container addons that use "management". It seems that Mozilla's Multi-Account Containers addon uses it as part of its inter-extension message handler – but MAC is not required to use containers. Thanks for bringing that up.
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Re: Cross-tab identity leak protection

Post by barbaz »

Is it correct for cross-tab identity leak protection to be triggering in the following case? -

NoScript 11.4.11rc1
Firefox 104.0.2
new profile

STR:

1) NoScript Options > Per-site Permissions, set informaction.com and github.com to Trusted

2) NoScript Options > Advanced, enable cross-tab identity leak protection everywhere

3) new tab, visit https://forums.informaction.com/

4) middle-click the link to nscl's Github

5) switch to the nscl github tab and middle-click any same-origin link there.

At (5), the cross-tab identity leak protection claims that informaction.com can obtain github.com login data at that load, even though the opener tab is github.com. Does the exploit also work through "chaining" opener tabs like this?
*Always* check the changelogs BEFORE updating that important software!
barbaz
Master Bug Buster
Posts: 10444
Joined: Sat Aug 03, 2013 5:45 pm

Re: Cross-tab identity leak protection

Post by barbaz »

barbaz wrote: Sat Sep 10, 2022 5:31 pm Is it correct for cross-tab identity leak protection to be triggering in the following case? [...] Does the exploit also work through "chaining" opener tabs like this?
bump
*Always* check the changelogs BEFORE updating that important software!
User avatar
therube
Ambassador
Posts: 7845
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Cross-tab identity leak protection

Post by therube »

I have had this enabled - but really haven't paid it any mind.

That said, I have noticed times, when seemingly just about anything, anywhere that I might click prompts a warning.
And then, just like they started, they "subside".


Again, haven't really paid attention, so just noting...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Post Reply