Research: 4 new ways browser history can be exposed
A recent study by the University of California, San Diego, showed four new ways to expose Internet users' browsing histories. They also showed the ways in which these histories could and can be used to target internet users with various attacks. Most of these attacks take aim psychologically, targeting the trust users have in details to which they believe only their closest friends and family have access.
"My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data," said research author Deian Stefan, an assistant professor in computer science at the Jacobs School of Engineering at UC San Diego. "I'm happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this."
The four new ways to view your browser history are classified as "history sniffing attacks" by the authors of the research paper "Browser history re:visited." Two categories for these four include visited-link attacks and cache-based attacks. The browsers these researchers used to test their four new attacks were as follows:
Browsers Tested:
• Chrome: Vulnerable to Chromium-base attacks (4/4 attacks successful)
• Firefox: 4/4 attacks successful
• Edge: 4/4 attacks successful
• Internet Explorer (IE): 4/4 attacks successful
• ChromeZero: 4/4 attacks successful
• Brave: Vulnerable to Chromium-base attacks (2/4 attacks successful)
• FuzzyFox: 1/4 attacks fails (Stone's visited-link)
• DeterFox: 1/4 attacks fails (Stone's visited-link)
• Tor Browser: No history, immune to attacks in this study
NOTE: The first three attacks below are Visited-link attacks on history, and the fourth is ... different.
Attack 1: Abusing CSS Paint API
Using CSS Paint API, an attack can take advantage of the fact that websites can "hook into the browser's rendering pipeline and draw part of HTML elements themselves." The observation can be recorded as a website visit, and the attacker knows the target's history, page by page.
Attack 2: Abusing CSS 3D transforms
The attacker plants CSS 3D transforms in a page that activate when links are visited. These 3D transforms can become "expensive" (processor-wise) when implemented, loaded, and re-painted (depending on if the user's loaded a page before visiting a link). The attacker monitors a page's rendering performance through JavaScript, and the relative result shows a visit to each individual page – i.e. history.
Attack 3: Abusing fill-coloring of SVGs
Much like Attack 2, fill-coloring of SVGs can be used to track relative browser performance on individual webpages. Visited selectors set off different unique colors, and the attacker's visits are shown to the attacker – in super pretty full color!
Attack 4: Bytecode-cache attacks on history
The creator of the data cache probably didn't intend on an end-use-case for a malicious entity such as the hacker attacks we're speaking about today. The bytecode-cache keeps track of JavaScript code on webpages across the internet. If the same webpage is visited more than once, or another webpage is visited with the same JavaScript code present, the browser calls upon the code it already has stored from a previous visit. This lightens the load considerably, but in turn opens the door for stored history which the user did not intend to keep.
What do they want with my history?
Modern attacks using browser history target users with messages with attempts at blackmail. Modern attacks seek out the specific login pages where users access banking information, replicate said pages, and present them to said users to gain access remotely. Knowing the exact webpages one unique user visits can give an attacker more than enough ways to attack them, track them, and/or harvest their data and – ultimately – their money.
For more information on this subject head right on over to the recent release at UC San Diego: Jacobs School of Engineering. There, the presentation "These new techniques expose your browsing history to attackers" leads to a list of additional resources, one of which is the original research paper "Browsing History re:visited."
The paper "Browsing History re:visited" was authored by Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, and Deian Stefan. Each of these authors hail from UC San Diego except Brown, who hails from Stanford University.