|
|
|
|
|
|
by adtehcmadness1
1648 days ago
|
|
|
As someone working on exactly this type of stuff, your'e absolutely right.
\*.safeframe.googlesyndication.com is Google's implementation of the IAB's safeframe standard[0], which is basically a cross origin iframe with an API that's exposed to the embedded 3rd party code (the ad).
This is how its HTML looks like (some attributes removed for readability): <iframe src="https://\*.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html" title="3rd party ad content" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" allow="attribution-reporting"></iframe>
As you can see, it has both sandbox[1] and allow[2] attributes.
The former restricts certain behaviors of the embedded code (most notably, navigating the top window without user activation), and the latter restricts it from accessing certain APIs - this why the author saw errors in the console.The script at https://cdn.js7k.com/ix/talon-1.0.37.js is an ad verification library developed by Verizon Media (formerly Oath), and it does, among other things,, fingerprinting for bot detection purposes (because they want to prevent ad fraud). It was served together with the actual ad media (so called "creative") into the safeframe. This a relativity begin case. Iv'e seen much more terrible stuff, from fingerprinting for user taking to straight out malware being served in ads. It's a wild west (or web). [0]: https://www.iab.com/guidelines/safeframe/ [1]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if... [2]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if... |
|
|
That verizon JS is surprisingly not very obfuscated so if anyone is interested or just curious to hack around this is a great one to look at!
It looks like they are checking notificationPermission for notifications. stores (this.permissionStatus = "") & (this.notificationPermission = "")
I don't see any requestPermission() in the verizon js. So it's probably not the culprit?
I also don't think that would make sense for them to do it. it's probably a bad faith advertiser.
I'm not sure if cross origin permissions requests can be blocked by the parent safe frame yet? It looks like Chrome is proposing but I can't find any info on if it has been implanted? [1] [2]
-------
I really enjoy fingerprinting. Just feels like 'hacking' in the basic sense of poking around with things. Since I don't know enough to make actual complicated real vulnerability hacking. I've built a pretty big js file for our own ads analytics & tracking.
The verizon js has most basic common things but one that sticks out as cool is cssSelectorCheck & cssRuleCheck checks a few like div:dir(ltr) probably for eastern languages, and stuff like -moz-osx-font-smoothing: grayscale.
I also like the idea of adding HONEYPOT_TAGS looks like they are adding a button to check for auto click publisher fraud. But man they should have obfuscated that name....
One interesting idea to expand on the css testing they have started to use a small amount.
I've played with is placing actual unique CSS features and @supports in styles and then measuring them. Maybe use variables pass to js. Also a couple @media sizes to see if it's lying about size. Can also measure if css/svg animation is paused for view ability.
There are a ton of new css features that are implemented in different browser versions so likely high entropy. Also would love to learn paintWorklet just to know it for design and also seems like a big surface area (svg too).
I'm kind of surprised they aren't doing a RTCPeerConnection to try and get any IPs and it doesn't look like they are doing actual webgl / audio prints.
seeing the mime type checks is validating to me. that's the latest check I added it's pretty fast to execute i have something like 150 different codes/mime types loop through lol. Verizon is more sensible in checking only a couple lmfao
[1] https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNO... [2] https://dev.chromium.org/Home/chromium-security/deprecating-...