Feeds

Bad timing: New HTML5 trickery lets hackers silently spy on browsers

Sub-millisecond precision in your rendering engine. What could possibly go wrong?

Security for virtualized datacentres

New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed.

Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data including browsing history or text from other browser sessions.

Paul Stone, a senior consultant at Context, warned that hackers can use this timing information - which can be accurate to millionths of a second - to read the colour of pixels from web pages that are for the user's eyes only: this allows miscreants to painfully reconstruct words and numbers on the pages, determine which links have been visited, and so on.

The timing feature was supposed to enable smooth animation in web pages: requestAnimationFrame() can be used to calculate the time taken to redraw part, or all of, an open web page.

By opening a web page in an iframe, applying filters and measuring the exact time taken to render bits of them, it is possible to work out which pixels are set. Ideally, the victim should not be aware of the iframe shenanigans.

The JavaScript-powered attack breaks cross-origin restrictions that ought to prevent this sort of trickery. Practically speaking, these attacks are tough to pull off, but that doesn't mean browser vendors should ignore the threat, as the Pixel Perfect Timing Attacks with HTML 5 whitepaper by Stone explains:

The new HTML5 requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. Two techniques are demonstrated which use this API to exploit timing attacks against Chrome, Internet Explorer and Firefox in order to infer browsing history and read cross-origin data from other websites. The first technique allows the browser history to be sniffed by detecting redraw events. The second shows how SVG filters can be used to read pixel values from a web page. This allows pixels from cross-origin iFrames to be read using an OCR-style technique to obtain sensitive data from websites.

This paper has demonstrated how a malicious website can use the timing of browser graphics operations to steal sensitive user data. Fortunately for users, timing attacks that are easily demonstrated in a controlled environment can prove tricky to implement reliably in the wild. However, this does not mean that browser vendors should not fix these holes. The basic techniques described in this paper will inevitably be improved upon to increase their speed, reliability and real-world usefulness.

Context has notified Google, Microsoft and Firefox-maker Mozilla about its research. The software giants are reportedly investigating ways in which the timing attacks can be prevented, but there may be a trade off between privacy and browser performance to complicate attempts to resolve the problem.

"Finding and fixing timing attacks is hard," said Stone. "The asynchronous URL lookups and filter optimisations that make these timing attacks possible were intended to increase browser performance. Fixing them could involve a trade-off between privacy and performance."

Mozilla, at least, has partially defended users of its Firefox browser against the lines of attack outlined by Stone's research. "Mozilla has tackled the worst of it in Firefox 22 however there may be some SVG filters that are vulnerable to a lesser degree," he said.

Website owners can protect themselves from the pixel reading attacks by disallowing framing of their sites. The relevant HTTP header is primarily intended to prevent click-jacking attacks.

And web surfers can switch to "incognito mode" private browsing, as a workaround.

“Users concerned about these vulnerabilities can mitigate the risks by regularly clearing their browsing history or using private browsing windows to separate their browsing sessions,” Stone advised. “While HTML 5 offers developers a range of new features such as improved animation and graphics support, some of these new capabilities have some unexpected side effects with privacy and security implications."

Stone delivered his research in a talk at the Black Hat hacking conference in Las Vegas last week. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.