Karim Rahal, Detectify Crowdsource hacker, is a 17-year-old web-hacker who has been hacking for the greater part of his teenager years. At age 13, he started to responsibly disclose vulnerabilities—and he even blogged about one he found in Spotify! Karim still makes time for bug bounty programs, despite school.
We asked Karim to tell us why Firefox is the best choice from a white hat hacker’s point-of-view. In this blog he looks at a containers extension, research on tracker protection, and breach alert system. Here are the 3 browser features that are important to anyone concerned about privacy and security:
Browsers, being in the background—or foreground, actually—of every Internet activity, ought to be secure. They carry every piece of information we transmit over the web. And, in the market of desktop browsers, one security-driven transmitter dominates: Mozilla Firefox. Still, how can Firefox be helpful to those cautious of security and privacy issues? To determine that, we must look at which of its security features can be useful.
A containers extension that minimizes exploits
The Firefox Multi-Account Containers extension lets you carve out a separate box for each of your online lives. In other words, you can create containers and assign tabs to them. The containers can’t communicate browser data to each other and are isolated.
The extension gives some much-needed privacy. Identity-based tracking (mostly done by social media companies) is restricted. With a container that isn’t logged into Google, the company has a harder time linking your searches to your Google account. In addition, advertisers are limited in their ability to follow you around. Your cookies don’t translate from one container to another.
To illustrate, here is the same website in two different containers:
But Firefox Multi-Account Containers doesn’t only cage containers to keep them from tracking you. It also adds a layer of security over them.
To understand how it does that, we must consider default browser behavior. Normally, browsers deal with cookie transmission in a straight-forward manner. When a website is requested, its cookies are sent in the HTTP request.
However, with the extension, there’s a catch: Firefox can’t forward cookies between containers. Each container is like its own browser, only seeing the cookies it has. Thus, some attack vectors are minimized/invalidated: CSRF, CORS misconfiguration, clickjacking, and many [2].
CSRF (cross-site request forgery) is a vulnerability that exploits default cookie transmission. Precisely, it is where an attacker sends HTTP requests on your behalf through a crafted webpage. Websites protect against this by checking for a unique token in the submitted request (one that isn’t just in the browser cookies). Yet, in many cases, websites don’t implement the check, or don’t have it for all necessary endpoints.
Still, Firefox Multi-Account Containers allows you to disconnect the components necessary for this attack. The vulnerable website can be authenticated in a container different than the attacker’s webpage. With that set-up, the malicious actor can only send requests to an unauthenticated version of the targeted site.
Like CSRF, a misconfigured Access-Control-Allow-Origin header exploit also depends on cookie transfer. In short, the CORS (cross-origin resource sharing) response header tells the browser which origin should have access to a resource. In some cases, it can be poorly implemented, enabling an unintended and potentially malicious origin to view the resource.
However, provided that the authenticated website instance and the attack website are in separate containers, the exploit is ineffective (in the same way as CSRF).
Please keep in mind that some edge-cases do exist to this container-dependent security. In particular, the defense is ineffective if the malicious site appears in the same container as the website it targets. The scenario is plausible since redirects inherit the container of the referrer site.
The extension is available on Firefox’s add-on store. Upon configuration, it is recommended to have something similar to the following:
Be careful of enabling the “Always open in X” feature. It automatically forces the website to open in a single container. In attacks like GET-based CSRF, this behavior can redirect the exploit to the sensitive container.
Even in the unlikely event that the “Always open in X” feature does add some security benefit, it can be bypassed. Its URL matching is very conservative. If you enable the option for https://example.com, it will not be on for the subdomains, including https://www.example.com.
It is worth noting that, if you don’t specify a container, a default one spawns. Whenever you go to visit a website, hold the “new tab” button ( + ) to choose the appropriate container:
Enhanced Tracking Protection – does it work?
The browser also has a solution against trackers: Firefox Enhanced Tracking Protection.
According to Disconnect (the company which provides Firefox with a trackers blacklist), a tracker is a service that logs and stores data on a user’s activity [3].
Generally, advertisers and social media organizations embed cookies into websites to track your behavior online. In addition, they can use necessary information shared by your browser (such as your user-agent) to create a digital fingerprint of you.
To combat that, Firefox has implemented built-in protection. By default, it blocks known trackers (and ads) in private windows and third-party tracking cookies along with crypto-miners in all windows. In addition, to shield your normal browsing, Firefox allows you to set your content blocking to strict, stopping trackers, third-party cookies, crypto-miners, and finger-printers.
In 2017, a Mozilla study tested the feature against Alexa’s top 200 news sites. It found that “Tracking Protection blocks at least one unsafe element on 99% of the sites tested … 11 tracking elements in 50% of the sites and, in an extreme case, 150 tracking elements”[4]. However, these numbers don’t represent the actual number of trackers on the websites. Tracking scripts, when not blocked, usually unfold their own set of scripts, just like Russian dolls.
Testing tracking protection with my own study
To measure the true amount of tracking activity on Alexa’s top 200 news sites, I ran my own study[5]. First, I collected requests from each website for 2 minutes. Then, I ran the collected links against Firefox’s block-list. The following results were obtained:
- 95% of the sites sent at-least 10 tracker requests
- 50% sent at-least 242 (206 unique)
- 30% sent at-least 477 (408 unique)
- The biggest offender was an American daily newspaper with 6539 (2884 unique) requests!
I also tested for finger-printers and crypto-miners. Fortunately, none of the sites contained crypto-miners.
- of the sites sent at-least 8 (7 unique) finger-printer requests
- 30% sent at-least 27 (26 unique)
- Again, the same American newspaper took the lead with 446 (197 unique) requests.
Could I get pwned?
By sheer numbers, though, trackers aren’t the worst threat. On Have I Been Pwned, 8.2 billion records of breached accounts exist[6]. That is, companies were hacked, and your data got leaked.
Nevertheless, Firefox is trying to minimize the issue. Using the Have I Been Pwned API, the browser has made a breach alert system: Firefox Monitor. When you visit a previously compromised website, it informs you:
The feature can also notify you of any future breaches. By giving Firefox Monitor your email, you can be sure to know when your information gets exposed. Also, Firefox is planning to check the credentials in its password manager, Firefox Lockwise.
Such features are of great benefit to those who re-use passwords. However, it is highly recommend to use a password manager and not to re-use passwords. Playing cat-and-mouse with hackers isn’t ideal.
Conclusion
Undoubtedly, Mozilla Firefox boasts an impressive set of features. Firefox Multi-Account Containers separates your online life. The Enhanced Tracking Protection helps you against trackers. And, finally, Firefox Monitor keeps your credentials in check. Firefox can be a valuable addition to your security hygiene.
While these features are helpful, you have to take part in ensuring your security.
Regardless of what browser you use, some security practices should be followed:
- Always update your services.
- Use a password manager.
- Enable two-factor authentication (2FA).
- Be vigilant (don’t click random links, watch out for phishing attempts, etc.).
Notable Firefox Add-ons
- To dynamically block trackers (on top of Firefox’s list): Privacy Badger
- To force HTTPS on all websites: HTTPS Everywhere
- To block JavaScript and shield from XSS (cross-site scripting): NoScript
References
[1]: https://github.com/mozilla/multi-account-containers/blob/master/README.md
[2]: https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
[3]: https://disconnect.me/trackerprotection
[4]: https://blog.mozilla.org/firefox/files/2017/09/tracking-protection-test.pdf
[6]: https://haveibeenpwned.com
Notes [5]:
I ran the study using the Puppeteer library.
The static 2 minute wait started after the website was ready and sent no requests for 500 ms—requests made before the wait were still collected.
To verify that the websites didn’t block my experiment, I took screenshots. Two websites did consistently block my attempts and were thus excluded from the study: www.bloomberg.com and www.fark.com.
I made sure to account for the Firefox whitelist. In addition, I filtered out requests sent to the same origin.
A few false-positives may exist because the Firefox blacklist contains the tracker hosts without specific directories.
For those interested, my list of collected URLs (from the first step) can be found here. To get the Firefox blacklists and whitelists, run shavar-list-creation with the production configuration and then parse the log files. Trackers are found in the following lists: social-track-digest256, ads-track-digest256, content-track-digest256, analytics-track-digest256, and base-track-digest256. The whitelisted tracker entities are in mozstd-trackwhite-digest256, finger-printers are in base-fingerprinting-track-digest256, and cryptominers are in base-cryptomining-track-digest256.
Written by:
Karim Rahal
Bug Bounty Hunter
Twitter: @karimpwnz
Blog: https://karimrahal.com/
At Detectify we collaborate with white hat hackers like Karim to crowdsource security research from the forefront of the industry, so you can check for the latest common vulnerabilities and exploits. Our testbed has 1500+ security modules including the OWASP Top 10, cors misconfigurations and even stateless tests submitted by the Detectify Crowdsource community. Sign up today for a 14-day free trial.