/safari-canvas-fingerprinting-exploit

An exploit for Safari 17.4 and lower that enables fingerprinting Safari users using OffscreenCanvas and SharedWorkers even if fingerprinting protections are enabled.

Primary LanguageHTMLMIT LicenseMIT

Safari 17.4 Canvas Fingerprinting Protections Bypass

This is an exploit for Safari 17.4 and lower that enables fingerprinting Safari users using OffscreenCanvas and SharedWorker even if fingerprinting protections are enabled. Apple seems to be unconcerned about this, so here it is! Apple seems to have changed their tune.

Demo: https://detectincognito.com/whatAreYouSmokingApple.html

Update (March 2024): While the included PoC doesn't display this, Firefox also seems to be vulnerable.

Issues Addressed

June 2024

CVE-2024-27830

August 2024

  • Mozilla says the issue involving OffscreenCanvas will be addressed in Firefox 131.

The Vulnerability

As of Safari 17.4 on both macOS and iOS, canvas fingerprinting protections are not applied to SharedWorker and ServiceWorker web workers. Protections still apply to the Worker context, as well as in the main window context.

The Proof of Concept

The included script runs a simple canvas fingerprinting technique using OffscreenCanvas in the SharedWorker scope. The output is then hashed. In addition, a function has been included that is able to detect if noise is being added to the OffscreenCanvas output for each included context. While the ServiceWorker context is also vulnerable to this attack, it is not implemented in order to keep the PoC as a single file.

To test the script, run it in Safari in a private window. The expected behavior is that each context should have the same hash value and all return Noise: true. However, as of Safari 17.4, SharedWorker will return a hash value that can aide in browser fingerprinting that is likely unique to the version of Safari used and maybe also to the hardware it's running on. While Safari is generally very resistant to being fingerprinted and this is certainly not enough alone to track a specific browser, this is not an ideal situation and must be addressed by Apple.

Please keep in mind that as of Safari 17.4, Safari only adds noise to canvases in private windows/tabs and not regular windows/tabs by default. To change this, you must change Safari's Settings under Advanced > Use advanced tracking and fingerprinting protection > in all browsing.

Apple's Response

Apple cares about your privacy

Update: Apple seems to have changed their tune.

Credits

  • abrahamjuliot for writing the script that brought this issue to my attention and being generally awesome.
  • Apple's Security Engineers for being comically incompetent.

Copyright

(c) 2024 Joe Rutkowski (Joe12387), released under the MIT License