Researchers have discovered 14 new types of cross-site data leakage attacks against various modern web browsers, including Tor Browser, Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari, and Opera, among others.
Collectively known as “XS-Leaks”, browser errors allow a malicious website to collect personal data from its visitors as they interact with other websites in the background without the knowledge of the targets. The findings are the result of a comprehensive study of cross-site attacks by a group of academics from Ruhr-Universität Bochum (RUB) and Niederrhein University.
“XS-Leaks bypasses the so-called same-origin policy, one of a browser’s main defenses against various types of attacks,” the researchers said in a statement. “The purpose of the same origin policy is to prevent the theft of information from a trusted website. In the case of XS-Leaks, attackers can recognize small individual details of a website. If these details are linked to personal data, that data can be leaked. “
From side channels built into the web platform that allows an attacker to collect this data from a cross-origin HTTP resource, cross-site errors affect a variety of popular browsers such as Tor, Chrome, Edge, Opera, Safari, Firefox, Samsung Internet, which covers different Windows, macOS, Android and iOS operating systems.
The new class of vulnerabilities is also different from a cross-site request forgery (CSRF) attack in that, unlike the latter, it exploits a web application’s trust in a browser client to perform unwanted actions on behalf of the client. user, they can be set up to infer information about a user.
“They are a significant threat to Internet privacy, as simply visiting a web page can reveal whether the victim is a drug addict or leak a sexual orientation,” the researchers explained. “XS-Leaks takes advantage of small pieces of information that are exposed during interactions between websites […] to reveal confidential information about users, such as their data in other web applications, details about their local environment or the internal networks to which they are connected. “
The core idea is that while websites cannot directly access data (i.e. read responses from the server) on other websites due to same-origin restrictions, an unauthorized online portal may attempt to load a resource. specific or API endpoint from a website. say, an online banking website, in the user’s browser and make inferences about the victim’s transaction history. Alternatively, the source of the leak could be time-based side channels or speculative execution attacks like Meltdown and Specter.
As mitigations, the researchers recommend denying all event handler messages, minimizing the occurrence of error messages, applying global limit restrictions, and creating a new history property when redirection occurs. On the end-user side, enabling First Person Isolation and Enhanced Tracking Prevention in Firefox have been found to decrease the applicability of XS-Leaks. Smart Tracking Prevention in Safari, which blocks third-party cookies by default, also prevents all non-popup leaks.
“The main cause of most XS leaks is inherent in the design of the web,” the researchers said. “Often times, applications are vulnerable to some information leaks between sites without having done anything wrong. It is challenging to fix the root cause of XS leaks at the browser level because in many cases doing so would damage existing websites.”