The paper, which is linked from the article, demonstrates a browser "fingerprinting" attack, which is to say, stealing pixels from one iframe using another iframe (which is quite clearly a violation of the safety properties the browser is supposed to provide).
It's unfortunate that this article is poor, but the paper itself is clear and readable.
Why do they call that browser fingerprinting? That’s a clearly a violation of browser isolation policies, but I don’t see the connection to fingerprinting. Also there are much easier ways to do actual fingerprinting. That involves finding a large number of statistically unique things and combining them to identify repeat visits from a particular device without cookies or local storage.
I think it is less about a server fingerprinting a client and more about one website using broken browser isolation to fingerprint other websites being visited. In the example, they leak whether a pixel is black or white by scaling it to fit the full canvas and then triggering 200-400 renders.
Different browsers will leak different data from this (and subsequent)
methods. And so what if there are some easier things one can gather; fingerprinting relies on gathering many things. You claim it needs a "large number of statistically unique" items, which is wrong. One statistically unique item is enough, but that's hard.
What is actually used is enough (not large, not small, not one usually... just enough) items with some spread in statistics such that one gathers enough such things so they can conclude to some level of certainty the device is uniquely determined.
Thus any new piece of data that provides any amount of device discrimination is useful. This new method fits the bill. And it will open the door to much more advanced attacks, as all new attacks do.
slashdev|2 years ago
ngneer|2 years ago
SideQuark|2 years ago
What is actually used is enough (not large, not small, not one usually... just enough) items with some spread in statistics such that one gathers enough such things so they can conclude to some level of certainty the device is uniquely determined.
Thus any new piece of data that provides any amount of device discrimination is useful. This new method fits the bill. And it will open the door to much more advanced attacks, as all new attacks do.