Slashdot Mirror

← Back to Stories (view on slashdot.org)

Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History (vice.com)

Posted by BeauHD on from the what's-that-smell dept.

An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.

The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

15 of 82 comments (clear)

  1. Well then by Anonymous Coward · · Score: 1

    a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history.

    How do I get it to stop sniffing my ferts?

  2. Does "Clear history when Firefox closes"... by CAOgdin · · Score: 4, Insightful

    ...option not work for you in Firefox? I have that option set, and it appears to work for me. I have several other Firefox security settings turned ON (e.g., "Block cookies from unvisited websites", and "block popup windows"). (And, no, I won't show you the entire phalanx of Firefox settings I'm using :-) )

    I'll admit that some people see all these options as daunting...but I'll wager they have a neighbor or colleague who can set it up for them...and show them how to propagate those settings to all other instances of Firefox in their home network.

    1. Re:Does "Clear history when Firefox closes"... by radarskiy · · Score: 1

      Who closes Firefox voluntarily?

    2. Re:Does "Clear history when Firefox closes"... by doconnor · · Score: 1

      I'm not sure that will work, because this doesn't actually check you history. It checks your cache.

  3. Non-issue. by Gravis+Zero · · Score: 4, Interesting

    This is side-channel timing attack which is of low importance because it only allows an attack site to ask if you have been to a site or not. It cannot see your history, just if you have visited a site in the recent past. At best this could inform an attacker if you are a target of interest.

    However, this could be of interest to advertisers who want to probe if you have visited their site or maybe a competitor's site. Though chances are they already know that so it's likely not worth the trouble,

    --
    Anons need not reply. Questions end with a question mark.
  4. Re:Private browsing by quonset · · Score: 2

    How about disabling browsing, download, search and form history, forcing the browser to get a fresh copy of every page even if you've previously visited, and clearing everything when you close the browser at night.

    Good luck trying to find my browsing history.

  5. Great however by Artem+S.+Tashkinov · · Score: 3, Interesting

    NoScript perfectly protects against this, and hopefully the websites that I've whitelisted won't use these tricks to sniff out my browsing history.

    1. Re:Great however by Aighearach · · Score: 1

      It is a good idea to also use uMatrix so that even if you turn on JS for a site, the third party stuff still can't load.

  6. Inferting browsing history? That's an insinuendo! by remoteshell · · Score: 2

    Inferting may be the only mode of inquirty that can help us unprehend why the giant Alaskan king crabs scuttling around on the power lines outside my home snatch only Canadian aircraft out of the sky. My sublime but rascally sefl wants to infert your devience from your browsing history, along with your last 4 digits

    --
    Just the washing instructions on life's rich tapestry
  7. Browsing in private mode fixes it too by Solandri · · Score: 1

    The URLs you visit are not stored in history if you browse in private mode. I do nearly all my browsing in private mode. Occasionally it's a pain because I'll accidentally close a tab, and ctrl-shift-T (undo tab close) does not work because the browser doesn't know the URL you just closed. But otherwise it hasn't been any different from a regular browser. You have to manually enable extensions to work in private mode, and whitelist certain sites to be able to store cookies. The inability to undo a tab close has been the biggest headache, and it's relatively minor.

    If the description in summary is accurate, it sounds like blocking scripts unless you've whitelisted the site should also be effective in preventing it as well (unless a major site which you've whitelisted gets hacked and the malware script injected). Yet another reason to disable javascript by default.

  8. I know that already by hvidstue · · Score: 1
    Why is it even important to show which sites I have already visited?
    1. 1. I know that already.
    2. 2. If I forget, I will visit the site again.
    3. 3. If i recognise the site I will enforce my memory to remember that I have already been here.
    4. 4. If not any of above I will have a new experience.
    1. Re:I know that already by RhettLivingston · · Score: 1

      I get a lot of value out of this when using Google to search. If the search is for hard to find or describe data and I'm spending over half an hour searching and entering searches that approach the question from many angles, I definitely want to see the many links I've already visited in old searches highlighted in the new ones. I also research many subjects again and again over time (days, months, years, etc.) and would like to be able to distinguish previously unseen information.

      In fact, it would be awesome to have a feature in Google search that I could flip on and off with a single click to just filter out previously seen information on the server side! Maybe it's there and I just haven't looked for it.

      I'm not sure I see a direct threat from this for myself. I would think it would be used to inform phishing attacks and ad placement, but I'm not vulnerable to either.

      On the other hand, the vast majority of internet users are not as informed as most tech users. They are vulnerable to attacks like this and we should be concerned about that because that vulnerability does affect the internet as a whole in ways that splash back on everyone by inciting regulation, limiting services, etc.

      In a very, tenuously related theme, the feature I would most like added to Netflix is the ability to remove everything I've already watched from any suggestions as well as to allow me to tell it that I don't ever want to watch a particular video and have that removed from suggestions also. Of the shows and movies I've watched in my life, I doubt I watched more than 1% twice. I usually hate viewing or reading the same thing twice. Oddly, that doesn't carry to music. There is something fundamentally different there.

  9. Fuck me! by nospam007 · · Score: 1

    Some 'IT expert' discovered cookies.
    Now I have seen everything.

  10. Re:once again... the Javascript attack surface by AHuxley · · Score: 1

    But if that is turned off then the ads don't work.

    --
    Domestic spying is now "Benign Information Gathering"
  11. Re:Vs. 3rd party script hosts=faster vs NoScript by cm5oom · · Score: 1

    Can your software block apk spam?