262699 – (CVE-2024-23206) Persistent Tracking via fingerprint.com

Bug 262699 (CVE-2024-23206) - Persistent Tracking via fingerprint.com

Summary: Persistent Tracking via fingerprint.com

Status:	RESOLVED FIXED

Alias:	CVE-2024-23206

Product:	WebKit
Classification:	Unclassified
Component:	Canvas (show other bugs)
Version:	Safari 17
Hardware:	Unspecified iOS 17

Importance:	P2 Major
Assignee:	Matthew Finkel

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-10-05 07:28 PDT by Bug
Modified:	2024-02-05 14:12 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bug 2023-10-05 07:28:54 PDT

Dear all, I noticed that upon reset of ios device, the fingerprint on fingerprint.com will change but is stable afterwards, despite private mode and all protection active.
The change-on-reset event does not seem to make sense to me, unless fingerprint.com is able to escape from safari to read some (network?) property which changes orngets deleted on device reset, bit not in private mode.

It might be dropping an undeletable cookie somewhere or read some property it is not supposed to.
Where to discuss problems of this kind?
Thanks

Comment 1 Radar WebKit Bug Importer 2023-10-05 15:18:15 PDT

<rdar://problem/116545792>

Comment 2 Matthew Finkel 2023-12-16 21:49:10 PST

Pull request: https://github.com/apple/WebKit/pull/977

Comment 3 EWS 2023-12-18 06:49:42 PST

Committed 267815.640@safari-7617-branch (36d57dc0f23f): <https://commits.webkit.org/267815.640@safari-7617-branch>

Reviewed commits have been landed. Closing PR #977 and removing active labels.

Comment 4 Bug 2023-12-19 07:00:37 PST

Hello thanks for the quick reaction. Matthew could you contact me on my email to have little discussion how to proceed. There might be more to do, and the analysis of this stuff is exhausting for me. Thanks