FYI - Detecting Canvas Defender and recovering the original canvas value

[Just-me-ghacks]

Evaluating the privacy implications of a canvas fingerprinting countermeasure

In this post, we showed that contrary to what’s claimed in their article, Canvas Defender can easily be detected. We showed that detecting if a user has Canvas Defender installed can be checked by looking at the string representation of toDataURL. It can also be detected using the MutationObserver API. The advantage of this approach is that it enables to extract the noise vector used by Canvas Defender. Depending on the settings chosen by the user in the extension, this noise vector may remain the same until the user deliberately changes it. Finally, we showed how to recover the original canvas value, even in the presence of Canvas Defender.

Can mozilla and google recover the original canvas value if you use privacy.resistFingerprinting to spoof it?

[earthlng]

Holy shit! Thanks for sharing that link.

This also makes some of our userscripts easily detectable btw ...
Ctrl+K then enter history.__lookupGetter__('length').toString() to see the custom function that spoofs history.length

[kkapsner]

I think all the points in the article do not apply to CanvasBlocker. The point is that Firefox has some additional WebExtension APIs that allow addon-code to run in the (security) context of the web page (exportFunction). But if you create a WebExtension that also has to run on Chrome or even Edge you cannot use them.

That's why CB is only for Firefox. (Although I recently got a request for a Chrome version: kkapsner/CanvasBlocker#203 - let's see how this works out...

I also did a test where I could extract the canvas fingerprint with Canvas Defender installed without any additional code - the addon code was just not loaded fast enough... WebExtensions are a nightmare to build a privacy addon with...

@earthlng: these APIs would also allow the history.length to be spoofed in a sneaky fashion. To be honest: it would be really simple to include this in CanvasBlocker... ;)

[kkapsner]

Just realized they removed the exportFunction documentation: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_scripts$compare?locale=en-US&to=1348378&from=1348018
Hopefully they do not want to ditch it.

[kkapsner]

Here my test page for the extraction: https://canvasblocker.kkapsner.de/test/settingsLoading.php

Canvas Defender:
(changed the hashes as i do not want to post my canvas fingerprint on the internet...)

CanvasBlocker:
notice the fingerprint icon in the address bar (here I can give you the real data as they are faked ;))

[kkapsner]

Regarding e5d...: I get this as well when disabling CB and using RFP - so it's the correct value. I use a different canvas size (220px × 30px) and therefore the hash is different (also I do not know which hashing algorithm panopticlick is using - I use sha256 of the data-URL).

[earthlng]

Just realized they removed the exportFunction documentation

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Sharing_objects_with_page_scripts

[earthlng]

@kkapsner

these APIs would also allow the history.length to be spoofed in a sneaky fashion.

can you show me how, please? I can't wrap my head around how to exportFunction a getter in a way that still makes it possible to check the original history.length (to know what to return) while at the same time prevent the page from seeing the custom function.

[kkapsner]

@earthlng: thanks for the new link - good to know that it is still documented.
For the "how to exportFunction a getter" you can check CB-Code as that is exactly what I do: https://github.com/kkapsner/CanvasBlocker/blob/master/lib/intercept.js#L179
You first store the original function (has to be slighly different in your case as you have to store the getter) and then you redefine the getter.

@Thorin-Oakenpants: I do not think that the situation is that bad. Most dddons do not need to provide functions that can be called by the website. But I have not checked and unfortunately all the anti-fingerprinting and some of the privacy addons have to. So if they are not carefully they might make things wore.

[kkapsner]

I think this might require us to vet all our recommended addons, but I have no idea how to do that

One by one on an individual basis. Basically look in the code of the addon or the "bad" guys and see what of the browsers APIs they are using/changing.