JavaScript tells all, which turns out not to be so great for privacy: Side-channel leaks can be exploited to follow you around the interweb

And using browser privacy extensions may just make matters worse

Stalker: woman peers through keyhole

Boffins from Graz University of Technology in Austria have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware to fingerprint browsers and improve the effectiveness of exploits.

In a paper, "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," researchers Michael Schwarz, Florian Lackner, and Daniel Gruss describe a technique for collecting information about browsers that calls into question the effectiveness of anonymized browsing and browser privacy extensions. The paper was brought to our attention this week, and presented earlier this year at the Network and Distributed System Security Symposium.

The researchers say their automated browser profiling scheme facilitates browser fingerprinting, overcomes some anti-fingerprinting techniques, and shows that browser privacy extensions "can leak more information than they disguise and can even be semi-automatically circumvented, leading to a false sense of security."

Browser fingerprinting involves gathering information about an internet user's browser and associated software and hardware, such as the browser type, the operating system, various network request headers, cookies, extensions, screen resolution and so on.

These properties can be collected using JavaScript, which exposes language features, namely the JavaScript object structure – children of the root window object – which can also be probed for information.

Technique

This isn't a novel issue, but in conjunction with two new side-channel attacks, which reveal the instruction-set architecture and the memory allocator, the technique described can expose information about supposedly hidden parts of the browser environment with particular efficiency because it's automated. And yes, you could disable JavaScript execution, though you'll be losing a lot of web functionality.

The findings have implications for anyone under the impression that online privacy or online anonymity can be assured, but particularly for users of the Tor browser, which has been designed to resist fingerprinting. The research suggests Tor's effort to make users appear to have the same browser fingerprint, thereby blending into the crowd, may fall short if additional data points are considered.

The upshot is: this technique is not going to immediately unmask you, and it's by no means perfect, but it could potentially be used to track you around the internet and target you with adverts.

JavaScript Template Attacks can be used for user fingerprinting. But the technique has been designed to identify computing environments rather than users. It can thus facilitate exploit targeting, which is more effective when reconnaissance can assure vulnerability. However, the Graz boffins hope their work will advance defensive research rather than attack magnification.

The technique is simple enough. First comes the profiling phase, which involves compiling a list of properties accessible from JavaScript objects (eg window.Array.name, performance.timeOrigin). These become a profile.

Someone spying on someone else

Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you're visiting

READ MORE

The data collection then gets repeated using a different environment, such as an alternate browser or operating system. Together, these varied profiles of JavaScript objects and properties form a template that can be used to probe for variations.

The variations identified in this matrix of data reveal environmentally-dependent properties in Chrome, Edge, Firefox and mobile Tor, properties that provide information useful for identification and attack targeting.

One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior.

The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.

The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects.

And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed – have more data points – than they are now. The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.

Schwarz, Lackner, and Gruss conclude by noting that they hope browser makers will consider their findings as they work to improve browser and privacy extensions. ®

Sponsored: What next after Netezza?

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019