Benedikt Wolters

Last week I was watching an old DEFCON 18 Talk [slides,paper] by Peter Eckersley, the maker of Panopticlick.

I find this idea very interesting. Furthermore, I thought what other characteristics are there to identify a user by its browser. Beneath a lot of other ideas, I was thinking about a Adobe Piracy Detection. It’s a well-known fact that many “cracks” simply redirect the DNS A-record of ”activate.adobe.com” to the loopback device 127.0.0.1 to circumvent activation.

However, since there is the same-origin-policy in effect, it is not possible to directly check whether the DNS record has been changed in the browser. Nevertheless, I found a way to circumvent this with pure javascript. In this spechial case the JBOSS Server at activate.adobe.com delivers a favicon.ico. Allthough the image is a 0-byte file and thereby corrupt it does not generate a HTTP Timeout, but a 200 OK. Since there is the possibility to include this “fake”-image into an img-tag and check with javascript whether it has been loaded or not. If not there is a high, but certainly not distinct, way of predict of whether the DNS record has been overwritten.

Furthermore, there is the possibility that the user might be running a webserver that coincidentilly is running a webserver which has a favicon.ico. A simple way to avoid this is to check whether the browser has adjusted the width of the image or not. In case of the “valid” favicon.ico it must be 0.

I’ve implemented a proof-of-concept code that seems to work in Firefox and Chrome.

IMHO: This will open the door for all kinds of scamming. And it should not be able to access properties of elements from different origins. However fixing this will obviously break a lot of thinks, like image CDNs. I think the web is just broken. Obviously the motiviation for Adobe to change their server configuration will be low.