14 new XS-Leaks attacks affect all modern web browsers
Researchers have discovered 14 new types of cross-site data leakage attacks against a number of modern web browsers, including Tor Browser, Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari, and Opera, among others.
Collectively known as “XS-Leaks”, browser bugs allow a malicious website to collect personal data from its visitors when they interact with other websites in the background without the targets’ knowledge. . The results are the result of an in-depth study of cross-site attacks by a group of academics from Ruhr-Universität Bochum (RUB) and Niederrhein University.
“XS-Leaks bypasses the so-called politician of same origin, one of the main defenses of a browser against various types of attacks “, the researchers noted in a report. “The purpose of the same-origin policy is to prevent information theft from a trusted website. In the case of XS-Leaks, attackers can still recognize minute details of a website. these details are linked to personal data, such data may be disclosed. “
Stemming from secondary channels built into the web platform that allow an attacker to collect this data from a cross-originated HTTP resource, cross-site bugs impact a range of popular browsers such as Tor, Chrome, Edge, Opera, Safari Firefox, Samsung Internet, covering various operating systems Windows, macOS, Android and iOS.
The new class of vulnerabilities is also different from a cross-site request forgery (CSRF) in that unlike the latter, which exploits the trust of a web application in a browser client to perform unintended actions on behalf of the user, they can be turned into a weapon to infer information about a user.
“They pose a significant threat to Internet privacy, as the mere act of visiting a web page can reveal whether the victim is a drug addict or discloses a sexual orientation,” the researchers explain. Explain. “XS-Leaks take advantage of small pieces of information that are exposed during interactions between websites […] to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks to which they are connected. “
The basic idea is that even though websites are not allowed to directly access data (i.e. read server responses) on other websites due to same-origin constraints, a Malicious online portal may attempt to load a specific resource or API endpoint from a website, for example, an online banking website, on the user’s browser and draw conclusions about it. ‘transaction history of the victim. Alternatively, the source of the leak could be time-based secondary channels or speculative execution attacks like Meltdown and Specter.
As mitigation measures, the researchers recommend denying all event handler messages, minimizing occurrences of error messages, applying global limit restrictions, and creating a new history property when redirecting occurs. On the end user side, turn on part one isolation as well as improved tracking prevention in Firefox have been shown to reduce the applicability of XS-Leaks. Intelligent Tracking Prevention in Safari, which block third-party cookies by default, also prevents all leaks that are not based on a pop-up window.
“The root cause of most XS-Leaks is inherent in the design of the web,” the researchers noted. “Often applications are vulnerable to some cross-site information leakage without having done anything wrong. It is difficult to fix the root cause of XS-Leaks at the browser level as in many cases it will damage existing websites. “