Feeds

Bad timing: New HTML5 trickery lets hackers silently spy on browsers

Sub-millisecond precision in your rendering engine. What could possibly go wrong?

The Power of One eBook: Top reasons to choose HP BladeSystem

New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed.

Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data including browsing history or text from other browser sessions.

Paul Stone, a senior consultant at Context, warned that hackers can use this timing information - which can be accurate to millionths of a second - to read the colour of pixels from web pages that are for the user's eyes only: this allows miscreants to painfully reconstruct words and numbers on the pages, determine which links have been visited, and so on.

The timing feature was supposed to enable smooth animation in web pages: requestAnimationFrame() can be used to calculate the time taken to redraw part, or all of, an open web page.

By opening a web page in an iframe, applying filters and measuring the exact time taken to render bits of them, it is possible to work out which pixels are set. Ideally, the victim should not be aware of the iframe shenanigans.

The JavaScript-powered attack breaks cross-origin restrictions that ought to prevent this sort of trickery. Practically speaking, these attacks are tough to pull off, but that doesn't mean browser vendors should ignore the threat, as the Pixel Perfect Timing Attacks with HTML 5 whitepaper by Stone explains:

The new HTML5 requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. Two techniques are demonstrated which use this API to exploit timing attacks against Chrome, Internet Explorer and Firefox in order to infer browsing history and read cross-origin data from other websites. The first technique allows the browser history to be sniffed by detecting redraw events. The second shows how SVG filters can be used to read pixel values from a web page. This allows pixels from cross-origin iFrames to be read using an OCR-style technique to obtain sensitive data from websites.

This paper has demonstrated how a malicious website can use the timing of browser graphics operations to steal sensitive user data. Fortunately for users, timing attacks that are easily demonstrated in a controlled environment can prove tricky to implement reliably in the wild. However, this does not mean that browser vendors should not fix these holes. The basic techniques described in this paper will inevitably be improved upon to increase their speed, reliability and real-world usefulness.

Context has notified Google, Microsoft and Firefox-maker Mozilla about its research. The software giants are reportedly investigating ways in which the timing attacks can be prevented, but there may be a trade off between privacy and browser performance to complicate attempts to resolve the problem.

"Finding and fixing timing attacks is hard," said Stone. "The asynchronous URL lookups and filter optimisations that make these timing attacks possible were intended to increase browser performance. Fixing them could involve a trade-off between privacy and performance."

Mozilla, at least, has partially defended users of its Firefox browser against the lines of attack outlined by Stone's research. "Mozilla has tackled the worst of it in Firefox 22 however there may be some SVG filters that are vulnerable to a lesser degree," he said.

Website owners can protect themselves from the pixel reading attacks by disallowing framing of their sites. The relevant HTTP header is primarily intended to prevent click-jacking attacks.

And web surfers can switch to "incognito mode" private browsing, as a workaround.

“Users concerned about these vulnerabilities can mitigate the risks by regularly clearing their browsing history or using private browsing windows to separate their browsing sessions,” Stone advised. “While HTML 5 offers developers a range of new features such as improved animation and graphics support, some of these new capabilities have some unexpected side effects with privacy and security implications."

Stone delivered his research in a talk at the Black Hat hacking conference in Las Vegas last week. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.