10 comments

[ 3.0 ms ] story [ 29.9 ms ] thread
Per the video showing the exploit: I thought since it was being served through an iFrame, it won't allow you to effect the inner elements with CSS/JS? If that doesn't matter, is there a way that Facebook, Twitter, Google+, etc. can do anything on their end so the front end user (or exploiter, in this case) can't modify the button with CSS to do these types of things?
Couldn't you just move the iFrame and not need to have access to its elements?
Maybe worth reminding in connection with the article: https://panopticlick.eff.org/ - how many bits of identifying information your browser leaks from its configuration itself. Even on a fresh profile with none of the privacy-leaking stuff like cookies or cache.
Turning off Javascript moves me from being unique and fingerprintable, to being 1 of 161,000. This is with Chrome in incognito.
"How to disable permission to read 'System Fonts' and 'Browser Plugin Details' in Chrome and Firefox"

http://superuser.com/questions/292666/how-to-disable-permiss...

How well does this work - in other words, how identifying is the absence of such information?

(The third alternative would be to spoof the information on each request, but I don't know how well that would work, and it could cause other problems.)

Most fields won't report with javascript disabled. In those fields "no javascript" reveals 1.86 bits about you, and 1 in every 1.33 browsers has it disabled.
http://cubiq.org/project-underpants-explained - browser fingerprinting demo, they say flash being off reduces your anonymity.

You can measure fonts using JS to avoid having to have flash to do font based fingerprinting, eg http://www.lalit.org/lab/javascript-css-font-detect/. There's also the option to attempt to set the font and then get the style of the element and see if it's using the new font (works only on FF and Opera IIRC), eg http://www.quirksmode.org/dom/getstyles.html).

I have no background in security, but I've found Disconnect (Chrome plugin) to be invaluable for keeping sites away from my social media cookies / sessions:

https://chrome.google.com/webstore/detail/disconnect/jeoacaf...

Sometimes it causes problems with Facebook photos embedded on other websites or social integration you actually want, but you can easily see what's being blocked and disable as needed.