Block canvas & cache based evercookie

[ghost]

I've noticed that the firefox version (fresh install + clean install of browser and extensions) detects the c.t4ft.de domain referenced in golem.de and zeit.de as fingerprinting website.

Going to the page in a fresh chrome installation (browser and extension) shows this domain under non-tracking domains. But looking at the script http://c.t4ft.de/c/ftg_iq.min.js shows that it does canvas fingerprinting. This is also the reason why this domain gets blocked after a while in firefox but not in chrome

As said earlier, both were fresh installations with fresh user profiles. Both browsers only had privacy badger and https everywhere installed,

[SwartzCr]

@ghostwords any ideas?

[ghostwords]

It seems that the canvas fingerprinting function (if that is what it is ...) writes to the canvas element using drawImage, which is not one of the "write methods" we currently support. If so, this wouldn't get picked up for canvas fingerprinting on any browser.

[ghostwords]

After adding drawImage to Chameleon, I got two hits on golem.de:

{ "obj": "CanvasRenderingContext2D.prototype", "prop": "getImageData", "scriptUrl": "https:\/\/c.t4ft.de\/c\/ftg_t_v_bk.min.js?aid=1331&plus=0&fcui=190100&fcai=1427\u2026&ffli=54232&fpli=3003248&element=ftge_4780611&size=300x250&size100=300x250", "extra": { "canvas": true, "dataURL": "data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAABCAYAAADTjP5iAAAANklEQ\u20262HcBwfosVCoXklobsPSXQ3VBVVhZnBIiL3P\/5eNzNkJiICBz\/yFgEMMfxVAAAAAElFTkSuQmCC", "width": 18, "height": 1 } }

and

{ "obj": "CanvasRenderingContext2D.prototype", "prop": "getImageData", "scriptUrl": "http:\/\/batch.theadex.com\/d\/199\/360\/s\/adex.js", "extra": { "canvas": true, "dataURL": "data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NMZWD4DwACnQFmmn3AvQAAAABJRU5ErkJggg==", "width": 1, "height": 1 } }

I had to temporarily disable both text length (needs to be updated for drawImage, since drawImage doesn't work with text) and canvas width/height checks (both images above currently considered too small to count).

[cooperq]

I guess we should add drawImage dection to our own canvas fingerprinting algorithms. @ghostwords any chance you have time for this?

[ghostwords]

Yes, just not sure when.

To clarify, when I said I added drawImage to Chameleon, I meant I hacked it in temporarily just to see what's going on the page. To add it properly, I would want to better understand what that script does, and to run Chameleon Crawler to see what happens when you add drawImage and adjust canvas width/height checks.

[gunesacar]

I think this is canvas & cache based evercookie, not canvas fingerprinting. Check Samy's evercookie code or read How does the PNG caching work? The only difference is that t4ft.de script uses GIF, instead of PNG.

The script draws an image loaded from http://c.t4ft.de/ckgif/ (or cache) into the canvas. The image, which is immediately cached, contains the RGB encoded user ID. Even if you remove your cookies or local storage, the script can draw the cached image into the canvas and read your ID using canvas getImageData function.

This behavior is conditionally triggered and doesn't run for me at the moment, but I can see different GIF contents when I load the ckgif URL with different profiles. You can see the request to http://c.t4ft.de/ckgif/ on HTTP Archive.

The script also uses ETag based evercookie. Base64 decoding the ftgnetid cookie content gives you the ETag value (thanks to light obfuscation.) For instance in the above HTTP Archive example, ETag=71151108140103233, ftgnetid=NzExNTExMDgxNDAxMDMyMzM=.

[cooperq]

Dang! Good work @gunesacar, we really need to start adding heuristics to detect other types of supercookies I guess.

[cooperq]

detection: etag supercookies
detection: session, db, other html5 storage
blocking: session, db, other html5 storage
blocking: etag?
detection: navigator plugins
blocking: navigator plugins

[ghostwords]

Duplicate of #1558, #2136.