Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Audio farbling bypass #42356

Closed
3 of 6 tasks
arthuredelstein opened this issue Nov 18, 2024 · 6 comments · Fixed by brave/brave-core#26651
Closed
3 of 6 tasks

[Security] Audio farbling bypass #42356

arthuredelstein opened this issue Nov 18, 2024 · 6 comments · Fixed by brave/brave-core#26651
Assignees
@arthuredelstein
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include security
Milestone
1.75.x - Release

Comments

@arthuredelstein
Copy link

arthuredelstein commented Nov 18, 2024
edited
Loading

Description

Fix a code path in our audio farbling where audio is not being farbled. See https://hackerone.com/reports/2846851

Summary:

A bug introduced in July 2024 allows websites to bypass Brave's audio fingerprinting protection when using Web Audio AnalyserNode methods. The BraveAudioFarblingHelper is only initialized when AudioBuffer methods (getChannelData or copyFromChannel) are called, but AnalyserNode methods require this helper for farbling. As a result, AnalyserNode data accessed before any AudioBuffer calls remains unfarbled and fingerprintable across sessions and domains, reducing user privacy.

Reproduces how often

Easily reproduced

Desktop Brave version (brave://version info)

Desktop Linux: Brave 1.73.89 Chromium 131.0.6778.69 (Ubuntu 22.04.5 LTS)
Android: Brave 1.73.89 Chromium 131.0.6778.69 (Android 14)

Android device

  • Brand/model:
  • Android version:

Channel information

  • release (stable)
  • beta
  • nightly

Reproducibility

  • with Brave Shields disabled
  • with Brave Rewards disabled
  • in the latest version of Chrome
@arthuredelstein arthuredelstein added OS/Android Fixes related to Android browser functionality OS/Desktop labels Nov 18, 2024
@arthuredelstein arthuredelstein self-assigned this Nov 18, 2024
@arthuredelstein arthuredelstein mentioned this issue Nov 19, 2024
Merged
24 tasks
@LaurenWags LaurenWags added this to the 1.75.x - Nightly milestone Dec 17, 2024
@LaurenWags
Copy link
Member

@arthuredelstein please add the following required labels as appropriate:

  • QA/Yes or QA/No
    • If QA/Yes please include a test plan
  • release-notes/exclude or release-notes/include

cc @kjozwiak

@kjozwiak
Copy link
Member

@arthuredelstein @diracdeltas should we use release-notes/include as it's a Hackerone issue? We usually add anything related to Hackerone into the notes and give the reporter the credit. Unless this isn't severe enough to ass into the release notes.

@diracdeltas
Copy link
Member

yes let's include it in the release notes, credit goes to https://hackerone.com/cesium_fusilli

@LaurenWags LaurenWags changed the title Audio farbling bypass [Security] Audio farbling bypass Jan 9, 2025
@arthuredelstein
Copy link
Author

arthuredelstein commented Jan 16, 2025
edited
Loading

QA testing (copied from https://hackerone.com/reports/2846851 by https://hackerone.com/cesium_fusilli):

  1. Ensure "Block fingerprinting" is toggled on
  2. Visit the page at https://arthuredelstein.github.io/tracking_demos/brave_analyser_node_poc.html
  3. Note the fingerprint values in both tables
  4. Open a new private window
  5. Load same page again
  6. Compare the results. When this fix is applied, all results should be different between windows

@MadhaviSeelam
Copy link

Verification PASSED using

Brave | 1.75.161 Chromium: 132.0.6834.83 (Official Build) beta (64-bit)
-- | --
Revision | 7e59e37e24ad33062e0f20e842236aa03f579407
OS | Windows 11 Version 24H2 (Build 26100.2894)

Reproduced the issue in 1.74.48 using the STR/testplan from #42356 (comment)

brave://settings/shields Normal window Private window
Image Image Image

Confirmed that the fingerprint values in Normal window and Private window for both the tables are different in 1.75.161 as expected.

brave://settings/shields Normal window Private window
Image Image Image

@Uni-verse Uni-verse added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Jan 21, 2025
@Uni-verse
Copy link
Contributor

Uni-verse commented Jan 22, 2025
edited
Loading

Verified on Samsung Galaxy S21 using version:

Brave	1.75.164 Chromium: 132.0.6834.83 (Official Build) beta (64-bit) 
Revision	befbba8d7568f8713d6f942f9a7350c59b57f20a
OS	Android 13; Build/TP1A.220624.014; 33; REL
example example
Image Image

@Uni-verse Uni-verse added QA Pass - Android ARM and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jan 22, 2025
@LaurenWags LaurenWags mentioned this issue Feb 5, 2025
Closed
@hffvld hffvld mentioned this issue Feb 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arthuredelstein arthuredelstein

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include security
Projects
None yet
Milestone
1.75.x - Release
Development

Successfully merging a pull request may close this issue.

make sure audio farbling helper is always initialized before use brave/brave-core
6 participants
@arthuredelstein @diracdeltas @kjozwiak @Uni-verse @LaurenWags @MadhaviSeelam