Hacker News new | past | comments | ask | show | jobs | submit login

>By opening a popup window with a custom URL scheme and checking if its document is available from JavaScript code, you can detect if the application is installed on the device.

in FF, unless im mistaken this assumes the user clicks anything except cancel on the popup. bug for reference and comment. https://bugzilla.mozilla.org/show_bug.cgi?id=1711084

further from the github:

> the basic concept is the same. It works by asking the browser to show a confirmation dialog in a popup window. Then the JavaScript code can detect if a popup has just been opened and detect the presence of an application based on that.

so...we seem to be relying on the honor system with the user? Can anyone clarify?




Hi, nimbius.

I’m the article author, can you please clarify your question?

The demo will not work without a popup window in Chrome, Firefox and Safari. The “Get My Identifier” button is needed in order to have a single user gesture to open an additional window.

However the Tor Browser demo works silently without any additional window.


On Firefox, I didn't get any popup window. I did get it on Brave browser (Chromium based).


> in FF, unless im mistaken this assumes the user clicks anything except cancel on the popup. bug for reference and comment.

I'm on Firefox and didn't have to click anything. It correctly detected I have Steam installed.

The flashing popup window was quite obvious though.


> It works by asking the browser to show a confirmation dialog in a popup window. Then the JavaScript code can detect if a popup has just been opened and detect the presence of an application based on that.

> ...

> Tor Browser has confirmation dialogs disabled entirely as a privacy feature, which, ironically, exposed a more damaging vulnerability for this particular exploit. Nothing is shown while the exploit runs in the background, contrasting with other browsers that show pop-ups during the process.


Basically browsers have the "I open a popup to ask" or "the user has no schema handler for that schema so I don't need to ask" or the "User already confirmed it always should open the link with given application" behaviour and they can detect it "somehow "?

But I still have to look closer into it.


Browsers open pop-ups to ask "Can I run that application?" but only if that application is installed. If that application is not installed, the browser will ignore the custom URL.


It looks like a mitigation might be that in the event you do not have the application installed, to return a "denied" status and send a prompt to the user like "Unknown application protocol".

Something like that could still would be susceptible to a timing attack though.


always show the popup, but populate it "later" could work too.


Yes I believe the proper fix would be to always behave as if a popup is showing, independent of weather or not it actually shows.

Through it's maybe slightly more complex as you might need to behave as if the user clicked cancel in a way where a attacker can not easily differentiate it from an actual user clicking cancel.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: