A recent study by the University of California, San Diego, showed four new ways to expose Internet users’ browsing histories. They also showed the ways in which these histories could and can be used to target internet users with various attacks. Most of these attacks take aim psychologically, targeting the trust users have in details to which they believe only their closest friends and family have access.
“My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data,” said research author Deian Stefan, an assistant professor in computer science at the Jacobs School of Engineering at UC San Diego. “I’m happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this.”
The four new ways to view your browser history are classified as “history sniffing attacks” by the authors of the research paper “Browser history re:visited.” Two categories for these four include visited-link attacks and cache-based attacks. The browsers these researchers used to test their four new attacks were as follows:
• Chrome: Vulnerable to Chromium-base attacks (4/4 attacks successful)
• Firefox: 4/4 attacks successful
• Edge: 4/4 attacks successful
• Internet Explorer (IE): 4/4 attacks successful
• ChromeZero: 4/4 attacks successful
• Brave: Vulnerable to Chromium-base attacks (2/4 attacks successful)
• FuzzyFox: 1/4 attacks fails (Stone’s visited-link)
• DeterFox: 1/4 attacks fails (Stone’s visited-link)
• Tor Browser: No history, immune to attacks in this study
NOTE: The first three attacks below are Visited-link attacks on history, and the fourth is … different.
Attack 1: Abusing CSS Paint API
Using CSS Paint API, an attack can take advantage of the fact that websites can “hook into the browser’s rendering pipeline and draw part of HTML elements themselves.” The observation can be recorded as a website visit, and the attacker knows the target’s history, page by page.
Attack 2: Abusing CSS 3D transforms
Attack 3: Abusing fill-coloring of SVGs
Much like Attack 2, fill-coloring of SVGs can be used to track relative browser performance on individual webpages. Visited selectors set off different unique colors, and the attacker’s visits are shown to the attacker – in super pretty full color!
Attack 4: Bytecode-cache attacks on history
What do they want with my history?
Modern attacks using browser history target users with messages with attempts at blackmail. Modern attacks seek out the specific login pages where users access banking information, replicate said pages, and present them to said users to gain access remotely. Knowing the exact webpages one unique user visits can give an attacker more than enough ways to attack them, track them, and/or harvest their data and – ultimately – their money.
For more information on this subject head right on over to the recent release at UC San Diego: Jacobs School of Engineering. There, the presentation “These new techniques expose your browsing history to attackers” leads to a list of additional resources, one of which is the original research paper “Browsing History re:visited.”
The paper “Browsing History re:visited” was authored by Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, and Deian Stefan. Each of these authors hail from UC San Diego except Brown, who hails from Stanford University.