Browser-based fingerprinting: implications and mitigations

282人阅读 评论(0) 收藏 举报

Malware authors will leverage every tool and trick they can to keep their operations in complete stealth mode. Fingerprinting gives them this extra edge to hide from security researchers and run large campaigns almost completely undetected. To describe it succinctly, fingerprinting makes use of an information disclosure flaw in the browser that allows an attacker to read the user’s file system and look for predefined names.

There are plenty of examples on how successful fingerprinting can be; we covered some in our research whitepaper back in March 2016, Operation Fingerprinting, but even that was just the tip of the iceberg. More recently, researchers at Proofpoint uncovered a massive malvertising campaign that ran for at least a year and probably more, which allowed for a very large number of malware infections. It heavily relied on fingerprinting to go unnoticed by carefully targeting genuine users, running bona fide OEM computers.

Figure 1: Fingerprinting used in a malvertising campaign, hidden as a GIF image

Certainly, this is a lesson to learn for the defense side to up our game in the face of increased sophistication in online attacks. At the same time, we could easily remove a powerful weapon from the bad guys’ toolsets, which would lead to more rapid identification of their campaigns, at least until they come up with another trick.

There are also privacy implications as fingerprinting could be used to profile users, based on a list of programs present on their machines. We can imagine marketing folks from company A being interested to know if visitors to their website are running product from company B.

Figure 2:  Checking if Norton Antivirus is installed, directly from the browser

This is trivial to do with a single line of code (currently unpatched, keep reading for additional details), although it would certainly raise eyebrows in how it’s done. Less scrupulous actors might be interested in spying on persons of interests and check if they are running specific tools such as VPNs or encryption software.

A little bit of history on some troublesome protocols

Abusing Internet Explorer protocols has allowed malware authors to either run malicious code or gain information about their victims. Here we review some past and present techniques including one that is currently unpatched and used in exploit kits and malvertising attacks.

File:// protocol

If we go back in time, before XP’s Service Pack 2, the local machine zone (LMZ) allowed you to run binaries without restrictions via another protocol, the file:// protocol.

Figure 3: Microsoft fixed a flaw that allowed to run binaries in IE6 and earlier.

The file:// protocol was literally running in the local machine zone, with full privileges. From your evil webpage you could do:

<iframe src="file://c:/downloads/malicious.html"></iframe>

and after instantiating a WScript.Shell, you could do a full remote code execution.

XMLDOM loadXML (CVE-2013-7331)

Back in 2013, a researcher revealed how Microsoft XMLDOM in IE can divulge information of local drive/network in error messages – XXE. This technique was/isused in the wild by various exploit kits as well as in some malvertising campaigns. The XMLDOM technique is the most powerful one for fingerprinting purposes as it allows for any type of file (not just binaries) to be checked for.

Microsoft fixed the issue with XMLDOM checks. See tweet and following discussionhere.

For a proof of concept code:

Onload res:// CVE-2015-2413

res:// is an internal IE protocol running in the Internet Zone (even for local files) that allows webpages to load resources from local files (from the resource section). At the same time, IE considers many of this res: URLs “special” and it allows them to do things like opening the Internet Connection Dialog (and much more).

Microsoft allows res:// URLs to be loaded by normal HTTP webpages because IE/Edge need them for various parts of the browser’s functionality, like default error or information pages.

It was added to the Magnitude EK, as a pre-check on its gate, but is now patched as well. The res technique isn’t as good as the XMLDOM one as it can only check for binaries, as it needs their resource section.

Figure 4: Image created from a script using onload to detect if the resource was loaded

Iframe res:// variant (unpatched)

Affected software:

Operating System: Windows 7, Windows 10 (both fully patched).

Browsers: Internet Explorer 10, 11. Microsoft Edge (38.14393.0.0) & Microsoft EdgeHTML (14.14393).

Note: For Microsoft Edge, fingerprinting will only work in the Windows and Program Files folders, as the AppContainer doesn’t allow read access to other parts of the system.

Figure 5: Determining the presence of calc.exe under %system32% from a website.

Current use in exploit kits:

We studied the way Neutrino EK filters security researchers via the same Flash exploit it uses to exploit and infect a system (Neutrino EK: fingerprinting in a Flash) as well as one of its pre-gate checks (Neutrino EK: more Flash trickery).

Figure 6: iframes checking for local files

Using ActionScript within the Flash exploit, Neutrino EK can check on those loadable resources and guess via JavaScript and DOM events if those files exist.

Disclaimer: we are not sharing our proof of concept publicly as Microsoft is currently working on a patch. While it’s true that it is in the wild, the PoC we wrote is derived from Neutrino’s Flash-based fingerprinting and a lot easier to copy/paste for other bad guys to reuse. If you are interested, please contact us privately.


A good mitigation to the abuse of this problem would be to allow IE to load resource files that are used only by IE such as mshtml.dll, ieframe.dll, and a few more. All the other ones should be blocked!

In other words, iexplore.exe (or any other binary using the WebBrowser Control) should be allowed to load only the resources that are really needed by the WebBrowser engine, and no more. The only legitimate uses of the res: protocol are IE internal pages/dialogs and maybe old toolbars. DevTools (F12) also uses it.

Figure 7: Some res:// calls in Microsoft Edge

Some old toolbars that are relying on res:// might stop working but they can whitelist those particular DLLs or even better, let the developers update their code.


Information disclosure bugs seem to linger and resurface quickly after they have been patched. This is probably due to the core issue not being fundamentally addressed perhaps because of compatibility risk in making any drastic change.

While these flaws are not critical compared to, let’s say remote code execution, they can help bad guys to save those RCEs for genuine victims and hide them from the security community much longer.


I would like to say a big thank you to Manuel Caballero for inspiring me to dig deeper into this issue. Thanks to Eric Lawrence for additional checks in Edge and affected paths.



使用canvas fingerprinting追踪用户信息

总结一下使用canvas fingerprinting的过程 需求分析(页未央的点赞模块功能) 详细需求看这里》》 点我《《 - 点赞次数 - 是否登陆 - 登...
  • qq_18832439
  • qq_18832439
  • 2017年02月13日 11:13
  • 1307

codeforces #550E Brackets in Implications 构造

题目大意:定义在集合{0,1}\{0,1\}上的运算符“→\rightarrow”,定义如下: 0→0=10\rightarrow 0=1 0→1=10\rightarrow 1=1 1→0=0...
  • PoPoQQQ
  • PoPoQQQ
  • 2015年06月05日 14:08
  • 1162

CF#306(Div. 2) E-Brackets in Implications

题目: 分析:尝试最后两位: 0 1 一定是1 1 0 一定...
  • jerry99s
  • jerry99s
  • 2015年06月13日 21:59
  • 244

XJTU Summer Holiday Test 1(Brackets in Implications-构造)

B - Brackets in Implications Time Limit:2000MS     Memory Limit:262144KB     64bit IO Format:%I64d ...
  • nike0good
  • nike0good
  • 2015年07月12日 16:07
  • 588


  • sirnuo
  • sirnuo
  • 2017年08月11日 14:40
  • 905


  • u014621518
  • u014621518
  • 2017年07月18日 10:07
  • 292

fingerprinting algorithm

In computer science, a fingerprinting algorithm is a procedure that maps an arbitrarily large data i...
  • c289054531
  • c289054531
  • 2012年10月17日 20:44
  • 513

A Highly Robust Audio Fingerprinting System

本文是音频指纹系统的权威论文,被引用近500次,除了一些背景信息、验证性分析和实验结果,翻译了大部分内容。 原文下载:
  • maverick1990
  • maverick1990
  • 2013年10月17日 14:19
  • 2047

OCP 1Z0 052 63

62. You  are  in  the middle  of  a  transaction  updating  a  very  important  table.  The machine ...
  • jgmydsai
  • jgmydsai
  • 2014年06月13日 13:50
  • 758

canvas 追踪 js实现方案 实现浏览器唯一标示 标记

function bin2hex(str) {         var result = "";         for (i = 0; i             result += int...
  • javakeffer
  • javakeffer
  • 2015年09月29日 10:01
  • 457
    访问量: 85万+
    积分: 8633
    排名: 2775