copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

New attacks in the wild expose users browser history.

Date: 21 December 2011

Click here for printable version

We have recently become aware of a number of attacks which allow a malicious web page to enumerate the browsing history of visitors. This is done via a small JavaScript code block which is embedded as part of the web page. This script uses a hard coded list of CSS and other files which are used in common web pages. These cascading style sheet files are then requested by the JavaScript and these requests are timed, using sub-millisecond resolution timer. If they are completed in a short amount of time (<5ms) then the script will mark the web site as previously visited.

Depending on the number of CSS files used in the test, a list of previously visited sites can be assembled quickly by this JavaSript code. [1] This attack is based on cache timings and was first described in a paper by E. Felten et al, circa 2000[2].

An example of these CSS files used for identifying MySpace users is 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css', which is a standard CSS file used in most MySpace.com pages. [1]

This script (or variations of) has been found to be affective in Firefox, Chrome, Safari and Opera. A version targeted at Internet Explorer users is currently being developed. [3] At the time of posting there have been no patches issued by browser vendors to correct this vulnerability.

Happy and Safe browsing,

Angus

[1] Implementation of attack for Firefox.

[2] Original Paper by E. Felten et al.

[3] Rapid history extraction through non-destructive cache timing (v8)