Attackers could bypass LetterBox in tor browser
From email:
Dear Mozilla, Tor, I would like to report what I believe to be a vulnerability with a
low - medium
risk; the vulnerability allows the attacker to resize the browser's window into full screen, getting the exact screen dimensions of the device's screen. This, of course, wouldn't be an issue if we were talking about casual everyday browsers (chrome, firefox, etc), but this is Tor, where every bit of information is valuable to someone out there.Risk low - medium
1- Although screen size dimensions might not be the only factor that compromises a Tor user's anonymity, they are a crucial piece of data that, when combined with other details, can be used to build a user profile.
2- Because almost all other Tor users have similar screen sizes, people who fall victim to this vulnerability will be even more unique and easier to target.
All the details can be found in this GitHub repo (https://github.com/a7maadf/Bypass-LetterBoxing), along with a proof of concept video, and the script used. I'm ready to answer any questions you have. Thank you for everything you have done for the community. Regards, Ahmad ahmad-fawzy.com Computer Scientist && Penetration Tester
upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1788839