Home News Advisories Tools

Fingerprinting Browsers Using Protocol Handlers

If a user is masking their user-agent in Internet Explorer or Mozilla Firefox it is still possible to identify their browser and operating system using protocols which are unique to the browser, as follows:

<img src="moz-icon://.autoreg?size=16" onload="alert('Mozilla Firefox')" onerror="alert('NOT Mozilla Firefox')"> <img src="jar:resource:///chrome/browser.jar!/content/branding/about.png" onload="alert('Mozilla Firefox')" onerror="alert('NOT Mozilla Firefox')"> <img src="resource:///res/html/folder.png" onload="alert('Firefox 3.0.0 or higher')"> <img src="res://shdoclc.dll/pagerror.gif" onload="alert('Internet Explorer 5 OR Internet Explorer 6')" onerror="alert('NOT Internet Explorer 5 OR Internet Explorer 6')"> <img src="res://ieframe.dll/info_48.png" onload="alert('Internet Explorer 7 OR Internet Explorer 8')" onerror="alert('NOT Internet Explorer 7 OR Internet Explorer 8')"> <img src="res://wdc.dll/error.gif" onload="alert('Internet Explorer ON Windows Vista OR Windows 7')">

The Mozilla Firefox protocols "moz-icon://", "jar:resource://" and "resource://" work even with "Load images automatically" turned off.

There's a bunch of images that can be used in Internet Explorer. Check out *.dll and *.dll.mui in %WINDIR%, %WINDIR%\system32\ and %WINDIR%\system32\en-US\ in Resource Hacker for more, for example:

Windows Media Player res://wmploc.dll/wmcomlogo.jpg Microsoft (R) HTML Editing Component's Resource DLL res://mshtmler.dll/wordbreak.gif Security Monitor Snap-in (Windows 2003, Windows XP, Windows Vista or Windows 7) res://IpsmSnap.dll/wlcm.bmp

Affected

• Firefox/3.6.2 and prior
• Internet Explorer 8.0.6x and prior

Not Affected

• Opera 10.51
• Google Chrome 4.0.249.89

Testing

• Firefox 3.6.2
• Internet Explorer 8.0.6001.18882
• Internet Explorer 6.0.2900.2180
• Opera 10.51
• Google Chrome 4.0.249.89

Additional Information

Google Chrome seems secure as all local images are generated using the "data:" protocol. I have tested Opera and Konquerer a little without success.

It is possible to detect the operating system using Javascript alone (navigator.platform), however this is useless if the user is OSfuscating correctly. (See: IP Personality, FingerPrintFucker, Change your Windows OS TCP/TP Fingerprint to Confuse p0f, networkminer, ettercap, nmap, and, other OS detection tools.)

It is possible, although unlikely, to fingerprint installed applications or plugins and attempt a web based exploit.

This form of fingerprinting can be easily mitigated by disabling JavaScript or using a plugin such as NoScript for Mozilla Firefox. Alternatively in Internet Explorer you can set the Internet security level to High.

I image anyone paranoid enough to actually worry about this has Javascript disabled already or is using a commandline alternative.

Proof of concept

• proof-of-concept.html

Copyright © IT Security Solutions.org