Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Browser name LEAKS because of InstallTrigger #494

Closed
sdfergergweg opened this issue Mar 17, 2021 · 11 comments
Closed

Browser name LEAKS because of InstallTrigger #494

sdfergergweg opened this issue Mar 17, 2021 · 11 comments

Comments

@sdfergergweg
Copy link

please make these options to block InstallTrigger and fake window.chrome.webstore and other objects
because http://proxyleak.com can detect Firefox name

you can read about it on https://christopherdiehl.github.io/posts/browser-fingerprinting/

thank you
@sereneblue
Copy link
Owner

Hi @InstallTrigger, thanks for pointing this out! That's a pretty good resource that could also help improve spoofing for some of the other profiles. This will be addressed in a future update.

@Thorin-Oakenpants
Copy link 

	let isFFsum = ("undefined" != typeof InstallTrigger ? true : false)
		+ ("InstallTrigger" in window ? true : false)
		+ (typeof InstallTriggerImpl !== "undefined" ? true : false)
	console.log(isFFsum > 0 ? "Firefox" : "Not Firefox")

Good luck beating that. You, and I can't stress this enough, cannot hide your browser engine. There are literally hunhdreds of ways to reliably detect it. The above script is really "gecko", not "Firefox" specifically. That said, anything that fools naive scripts is all good - just as long as you are aware that you can't really hide tampering from advanced scripts, and for many you still leak the real values via other methods or equivalency : and when that happens, you increase your entropy. The only long term real solution is for in-browser solutions

@sereneblue
Copy link
Owner 

	let isFFsum = ("undefined" != typeof InstallTrigger ? true : false)
		+ ("InstallTrigger" in window ? true : false)
		+ (typeof InstallTriggerImpl !== "undefined" ? true : false)
	console.log(isFFsum > 0 ? "Firefox" : "Not Firefox")

Good luck beating that. You, and I can't stress this enough, cannot hide your browser engine. There are literally hunhdreds of ways to reliably detect it. The above script is really "gecko", not "Firefox" specifically. That said, anything that fools naive scripts is all good - just as long as you are aware that you can't really hide tampering from advanced scripts, and for many you still leak the real values via other methods or equivalency : and when that happens, you increase your entropy. The only long term real solution is for in-browser solutions

Agreed. So far I am able to spoof the above check. I'm working on implementing some of the other browser APIs/variables that were linked in OP.

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Mar 22, 2021
edited
Loading

you'll never win :) edit: i.e win against me :)

note: the value shown is accumulative, and I only ever set true in code (we start with false), i.e it is not the result of subsequent tests e.g. if it's already true in say "system font" but you manage to beat math, it still shows true

  • i.e I only need to get isFF = true once

good luck beating that :)

harden-isFF

@sereneblue
Copy link
Owner

you'll never win :) edit: i.e win against me :)

note: the value shown is accumulative, and I only ever set true in code (we start with false), i.e it is not the result of subsequent tests e.g. if it's already true in say "system font" but you manage to beat math, it still shows true

* i.e I only need to get isFF = true once

good luck beating that :)

harden-isFF

Haha, with the ever growing number of browser APIs, it's a game of whack a mole. We'll just have to hope that most fingerprinting scripts are naive. :)

sereneblue added a commit that referenced this issue Mar 29, 2021
@sereneblue
feat: improve browser profile spoofing (#494)
1cf9036
@sereneblue
Copy link
Owner

This issue is resolved in v0.21.22.

@ponces
Copy link

ponces commented Jul 19, 2024

I can't make this to work while using a whitelist.

My scenario is: i need to spoof window.chrome to not be undefined on Firefox.

I'm using the real profile on my main config and I have a couple of sites on a whitelist rule with a chrome profile. For some reason, one of the sites (an internal portal at my company) detects window.chrome as undefined but only if I use the whitelist approach.

However, if I have the chrome profile configured as my main rule, without any whitelist one, everythink works as expected.

Any ideia?

@sereneblue
Copy link
Owner

window.chrome is a property of Chrome based browsers. It does not exist in Firefox so it should be undefined. Are you using a Chrome profile with the whitelist rules?

@ponces
Copy link

ponces commented Jul 20, 2024

window.chrome is a property of Chrome based browsers. It does not exist in Firefox so it should be undefined. Are you using a Chrome profile with the whitelist rules?

Maybe I was not so clear.
I know it shouldn't exist on Firefox and that is why I was expecting to be able to spoof it with the chrome profile. But apparently, it's only able to do it by using the profile as the main one and but not on the whitelist...

sereneblue added a commit that referenced this issue Jul 21, 2024
@sereneblue
fix: whitelist profile spoofing (#494)
c7ce885
@sereneblue
Copy link
Owner

@ponces Thanks for pointing out this issue. Whitelist profiles were missing some injection properties. This has been patched in the latest version.

@ponces
Copy link

ponces commented Jul 22, 2024

Working perfectly now. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ponces @sereneblue @Thorin-Oakenpants @sdfergergweg