Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Email and Browser Fingerprinting
Pretty interesting how much information can be leaked without any javascript.
In this paper, we systematically investigate the modern dynamic features of CSS and their applicability for script-less fingerprinting, bypassing many state-of-the-art mitigations. We present three innovative techniques based on fuzzing and templating that exploit nuances in CSS container queries, arithmetic functions, and complex selectors. This allows us to infer detailed application, OS, and hardware configurations at high accuracy. For browsers, we can distinguish 97.95% of 1176 tested browser-OS combinations. Our methods also apply to email applications - as shown for 8 out of 21 tested web, desktop or mobile email applications. This demonstrates that fingerprinting is possible in the highly restrictive setting of HTML emails and expands the scope of tracking beyond traditional web environments.
Specifically this:
The Tor browser implements an allowlist-based approach to mitigate font fingerprinting. However, our container-query-based technique identifies a notable exception in Tor’s mitigation strategy. Specifically, the browser does not adhere to its font allowlist for the font family “Gill Sans”, a licensed font distributed with Microsoft Office. This oversight allows the detection of Microsoft Office on a system, even on the highest security level of the browser. The Tor project acknowledged the issue, indicating an awareness of the exception. However, they (wrongly so) expected this to be mitigated by the other font fingerprinting mitigations (i.e., disabling scripting and loading Web fonts).