Chrome, Internet Explorer, and Firefox are vulnerable to easy-to-execute techniques that allow unscrupulous websites to construct detailed histories of sites visitors have previously viewed, an attack that revives a long-standing privacy threat many people thought was fixed.
Until a few years ago, history-sniffing attacks were accepted as an unavoidable consequence of Web surfing, no matter what browser someone used. By abusing a combination of features in JavaScript and cascading style sheets, websites could probe a visitor's browser to check if it had visited one or more sites. In 2010, researchers at the University of California at San Diego caught YouPorn.com and 45 other sites using the technique to determine if visitors viewed other pornographic sites. Two years later, a widely used advertising network settled federal charges that it illegally exploited the weakness to infer if visitors were pregnant.
Until about four years ago, there was little users could do other than delete browsing histories from their computers or use features such as incognito or in-private browsing available in Google Chrome and Microsoft Internet Explorer respectively. The privacy intrusion was believed to be gradually foreclosed thanks to changes made in each browser. To solve the problem, browser developers restricted the styles that could be applied to visited links and tightened the ways JavaScript could interact with them. That allowed visited links to show up in purple and unvisited links to appear in blue without that information being detectable to websites.
Now, a graduate student at Hasselt University in Belgium said he has confirmed that Chrome, IE, and Firefox users are once again susceptible to browsing-history sniffing. Borrowing from a browser-timing attack disclosed last year by fellow researcher Paul Stone, student Aäron Thijs was able to develop code that forced all three browsers to divulge browsing history contents. He said other browsers, including Safari and Opera, may also be vulnerable, although he has not tested them.
"The attack could be used to check if the victim visited certain websites," Thijs wrote in an e-mail to Ars. "In my example attack vectors I only check 'https://www.facebook.com'; however, it could be modified to check large sets of websites. If the script is embedded into a website that any browser user visits, it can run silently in the background and a connection could be set up to report the results back to the attacker."
The sniffing of his experimental attack code was relatively modest, checking only the one site when the targeted computer wasn't under heavy load. By contrast, more established exploits from a few years ago were capable of checking, depending on the browser, about 20 URLs per second. Thijs said it's possible that his attack might work less effectively if the targeted computer was under heavy load. Then again, he said it might be possible to make his attack more efficient by improving his URL-checking algorithm.
I know what sites you viewed last summer
The browser timing attack technique Thijs borrowed from fellow researcher Stone abuses a programming interface known as requestAnimationFrame, which is designed to make animations smoother. It can be used to time the browser's rendering, which is the time it takes for the browser to display a given webpage. By measuring variations in the time it takes links to be displayed, attackers can infer if a particular website has been visited. In addition to browsing history, earlier attacks that exploited the JavaScript feature were able to sniff out telephone numbers and other details designated as private in a Google Plus profile. Those vulnerabilities have been fixed in Chrome and Firefox, the two browsers that were susceptible to the attack, Thijs said. Stone unveiled the attack at last year's Black Hat security conference in Las Vegas.
Thijs told Ars that Mozilla has already acknowledged plans to actively work on a fix. A Microsoft forum where Thijs reported his IE findings over the weekend has since been made private, but at the time of writing, it was still publicly available in this Google cache. Thijs said the issue is also under discussion by Chrome developers.
The resurrection of viable sniffing history attacks underscores a key dynamic in security. When defenders close a hole, attackers will often find creative ways to reopen it. For the time being, users should assume that any website they visit is able to obtain at least a partial snapshot of other sites indexed in their browser history. As mentioned earlier, privacy-conscious people should regularly flush their history or use private browsing options to conceal visits to sensitive sites.
reader comments
76