https://github.com/joe12387/safari-canvas-fingerprinting-exploit

An exploit for Safari 17.4 and lower that enables fingerprinting Safari users using OffscreenCanvas and SharedWorkers even if fingerprinting protections are enabled.
https://github.com/joe12387/safari-canvas-fingerprinting-exploit

apple browser browser-fingerprint browser-fingerprinting exploit fingerprint fingerprinting ios javascript macos safari vulnerabilities vulnerability

Last synced: about 20 hours ago
JSON representation

An exploit for Safari 17.4 and lower that enables fingerprinting Safari users using OffscreenCanvas and SharedWorkers even if fingerprinting protections are enabled.

• Host: GitHub
• URL: https://github.com/joe12387/safari-canvas-fingerprinting-exploit
• Owner: Joe12387
• License: mit
• Created: 2024-03-15T00:04:53.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-07-13T17:25:39.000Z (10 months ago)
• Last Synced: 2024-07-13T18:44:39.823Z (10 months ago)
• Topics: apple, browser, browser-fingerprint, browser-fingerprinting, exploit, fingerprint, fingerprinting, ios, javascript, macos, safari, vulnerabilities, vulnerability
• Language: HTML
• Homepage: https://detectincognito.com/whatAreYouSmokingApple.html
• Size: 456 KB
• Stars: 7
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Safari 17.4 Canvas Fingerprinting Protections Bypass

This is an exploit for Safari 17.4 and lower that enables fingerprinting Safari users using `OffscreenCanvas` and `SharedWorker` even if fingerprinting protections are enabled. Apple seems to be unconcerned about this, so here it is! [Apple seems to have changed their tune.](/img/appleActuallyCaresAboutYourPrivacy.png "Apple seems to have changed their tune.")

Demo: https://detectincognito.com/whatAreYouSmokingApple.html

Update (March 2024): While the included PoC doesn't display this, [Firefox also seems to be vulnerable](https://bugzilla.mozilla.org/show_bug.cgi?id=1885471 "Firefox also seems to be vulnerable").

## Issues Addressed

### June 2024

* Apple assigned this vulnerability as [CVE-2024-27830](https://www.cve.org/CVERecord?id=CVE-2024-27830) and resolved the issue in [Safari 17.5](https://support.apple.com/en-us/HT214103).



* Firefox [attempted to address their issues](https://bugzilla.mozilla.org/show_bug.cgi?id=1885471) in Firefox 127, however the `ServiceWorker` scope is still vulnerable to fingerprinting via `OffscreenCanvas`.

### August 2024

* Mozilla says the issue involving `OffscreenCanvas` will be addressed in Firefox 131.

# The Vulnerability

As of Safari 17.4 on both macOS and iOS, canvas fingerprinting protections are not applied to `SharedWorker` and `ServiceWorker` web workers. Protections still apply to the `Worker` context, as well as in the main `window` context.

# The Proof of Concept

The included script runs a simple canvas fingerprinting technique using `OffscreenCanvas` in the `SharedWorker` scope. The output is then hashed. In addition, a function has been included that is able to detect if noise is being added to the `OffscreenCanvas` output for each included context. While the `ServiceWorker` context is also vulnerable to this attack, it is not implemented in order to keep the PoC as a single file.

To test the script, run it in Safari in a private window. The expected behavior is that each context should have the same hash value and all return `Noise: true`. However, as of Safari 17.4, `SharedWorker` will return a hash value that can aide in browser fingerprinting that is likely unique to the version of Safari used and maybe also to the hardware it's running on. While Safari is generally very resistant to being fingerprinted and this is certainly not enough alone to track a specific browser, this is not an ideal situation and must be addressed by Apple.

Please keep in mind that as of Safari 17.4, Safari only adds noise to canvases in private windows/tabs and not regular windows/tabs by default. To change this, you must change Safari's Settings under `Advanced` > `Use advanced tracking and fingerprinting protection` > `in all browsing`.

# Apple's Response



Update: [Apple seems to have changed their tune.](/img/appleActuallyCaresAboutYourPrivacy.png "Apple seems to have changed their tune.")

# Credits

* [abrahamjuliot](https://github.com/abrahamjuliot "abrahamjuliot") for writing [the script](https://abrahamjuliot.github.io/fpworker/ "the script") that brought this issue to my attention and being generally awesome.

* Apple's Security Engineers for being comically incompetent.

# Copyright

(c) 2024 Joe Rutkowski (Joe12387), released under the MIT License