Feeds

Bad timing: New HTML5 trickery lets hackers silently spy on browsers

Sub-millisecond precision in your rendering engine. What could possibly go wrong?

High performance access to file storage

New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed.

Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data including browsing history or text from other browser sessions.

Paul Stone, a senior consultant at Context, warned that hackers can use this timing information - which can be accurate to millionths of a second - to read the colour of pixels from web pages that are for the user's eyes only: this allows miscreants to painfully reconstruct words and numbers on the pages, determine which links have been visited, and so on.

The timing feature was supposed to enable smooth animation in web pages: requestAnimationFrame() can be used to calculate the time taken to redraw part, or all of, an open web page.

By opening a web page in an iframe, applying filters and measuring the exact time taken to render bits of them, it is possible to work out which pixels are set. Ideally, the victim should not be aware of the iframe shenanigans.

The JavaScript-powered attack breaks cross-origin restrictions that ought to prevent this sort of trickery. Practically speaking, these attacks are tough to pull off, but that doesn't mean browser vendors should ignore the threat, as the Pixel Perfect Timing Attacks with HTML 5 whitepaper by Stone explains:

The new HTML5 requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. Two techniques are demonstrated which use this API to exploit timing attacks against Chrome, Internet Explorer and Firefox in order to infer browsing history and read cross-origin data from other websites. The first technique allows the browser history to be sniffed by detecting redraw events. The second shows how SVG filters can be used to read pixel values from a web page. This allows pixels from cross-origin iFrames to be read using an OCR-style technique to obtain sensitive data from websites.

This paper has demonstrated how a malicious website can use the timing of browser graphics operations to steal sensitive user data. Fortunately for users, timing attacks that are easily demonstrated in a controlled environment can prove tricky to implement reliably in the wild. However, this does not mean that browser vendors should not fix these holes. The basic techniques described in this paper will inevitably be improved upon to increase their speed, reliability and real-world usefulness.

Context has notified Google, Microsoft and Firefox-maker Mozilla about its research. The software giants are reportedly investigating ways in which the timing attacks can be prevented, but there may be a trade off between privacy and browser performance to complicate attempts to resolve the problem.

"Finding and fixing timing attacks is hard," said Stone. "The asynchronous URL lookups and filter optimisations that make these timing attacks possible were intended to increase browser performance. Fixing them could involve a trade-off between privacy and performance."

Mozilla, at least, has partially defended users of its Firefox browser against the lines of attack outlined by Stone's research. "Mozilla has tackled the worst of it in Firefox 22 however there may be some SVG filters that are vulnerable to a lesser degree," he said.

Website owners can protect themselves from the pixel reading attacks by disallowing framing of their sites. The relevant HTTP header is primarily intended to prevent click-jacking attacks.

And web surfers can switch to "incognito mode" private browsing, as a workaround.

“Users concerned about these vulnerabilities can mitigate the risks by regularly clearing their browsing history or using private browsing windows to separate their browsing sessions,” Stone advised. “While HTML 5 offers developers a range of new features such as improved animation and graphics support, some of these new capabilities have some unexpected side effects with privacy and security implications."

Stone delivered his research in a talk at the Black Hat hacking conference in Las Vegas last week. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.