Skip to content

TTP-02-006 WP1: Information leaks via custom homepage (Low)

Description

It was discovered that setting a custom homepage can lead to information leaks under specific circumstances, specifically when malicious approaches are combined with using the Reset your Identity feature. Specifically, when a user has their custom homepage opened in a browser tab and then decides to use the Reset their identity feature, the homepage will automatically open again after the browser restarts with the new identity. If the custom homepage is malicious, it could track the moment the user left the page and infer that the new user who shortly accessed their page is the same as the previous user.

Furthermore, a malicious webpage could use the onbeforeunload function to determine with confidence whether the user initiated an identity reset. If the user tried to close the browser or navigate away, the onbeforeunload dialog would be displayed and block further actions, giving enough time for the script to ping the server. In contrast, if the user chose to reset their identity, the browser would be automatically closed, and no ping would be sent. The PoC below demonstrates how the above sequence could be achieved. Additional steps to track when the user left and rejoined the page would have to be added to properly infer the user's new identity.

PoC:

<script>
  let exit;
  onbeforeunload = () => { exit = true; return ""; }
  let timer = setInterval (()=>{
    if (exit) {
      let img = new Image();
      img.src = "/exited";
      clearInterval (timer) ;
      timer = false;
    }
  }, 1);
</script>

Steps to reproduce:

  1. Open the Tor Browser and connect to it.
  2. Save the PoC above as an HTML file and open it on the Tor Browser.
  3. Observe a request made to /exited if the user tried to close the browser or navigate away from the tab. See that the data will be handled differently if the user tries to reset their identity.

To mitigate this issue, Cure53 advises removing the ability to set custom homepages from the options available to users. Alternatively, the custom homepage should not be opened automatically upon usage of the Reset your Identity feature.

Edited by morgan