[tor-bugs] #15502 [Tor Browser]: Blob URIs considered harmful

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 28 23:30:09 UTC 2015 

#15502: Blob URIs considered harmful
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  major                                |         Status:  new
Component:  Tor Browser                          |      Milestone:
 Keywords:  tbb-linkability, tbb-newnym,         |        Version:
  TorBrowserTeam201503, tbb-4.5-alpha            |  Actual Points:
Parent ID:                                       |         Points:
-------------------------------------------------+-------------------------
 Blobs are a mechanism for creating temporary files that live in the
 browser and can optionally be assigned a random GUID that can be accessed
 via the blob: scheme.

 Unfortunately, this has several bad consequences for TBB:
 1. blob: URIs are whitelisted in NoScript
 2. blob: URIs survive New Identity
 3. blob: URIs are not isolated by top-level domain

 I think this is tricky to exploit to get arbitrary scripts to run, because
 you already need scripts enabled to create these things. They are also not
 great to use as a tracking vector, because the GUID you get is randomly
 assigned.

 However, they still deeply concern me because if you want to keep track of
 a short list of users, you can create blob uris for them, record those
 GUIDS, and cycle through this list of GUIDs for every user who visits any
 site.

 Here's an example blob URI creation script that gives you a blob uri that
 you can throw in the URL bar. It will then execute scripts (pop up an
 alert) even if you have instructed NoScript to disable scripts globally:
 https://people.torproject.org/~mikeperry/transient/tests/blob-uri-
 creation.html

 You can also use the resulting URI to test and see that it survives New
 Identity.

 This ticket probably needs several child tickets to deal with the various
 issues here. Or we could just simply drop support for the URI feature of
 the Blob APIs. It seems rather obscure and unnessary, since you can use
 these things as normal JS objects just fine without them being URIs.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15502>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list