Web versions

Researchers uncover 14 new data-stealing web browser attacks

Computer security researchers from Ruhr-Universität Bochum (RUB) and Niederrhein University of Applied Sciences have discovered 14 new types of “XS-Leak” cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari and Mozilla Firefox.

These types of side-channel attacks are called “XS-Leaks” and allow attacks to bypass the “same-origin” policy in web browsers so that a malicious website can steal information in the background from web browsers. a trusted website where the user enters information. .

“The principle of an XS-Leak is to use these secondary channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment or internal networks. to which they are connected”, explains the XS-Leaks Wiki.

For example, an XS-Leak attack could help a back-end site siphon inbox content from an active tab used to access webmail.

The process of an XS-Leak
The process of an XS-Leak
Source: XSinator

Cross-site leaks aren’t new, but as the researchers point out, not all of them have been identified and categorized as XS-Leaks, and their root cause remains unclear.

Their research aims to systematically search for new XS-Leaks, assess potential mitigations, and better understand how they work.

Finding New XS-Leaks

Researchers first identified three characteristics of cross-site leaks and evaluated all inclusion methods and leak techniques for a large number of web browsers.

The three main ingredients of all XS-Leaks are Inclusion Methods, Leak Techniques, and Detectable Differences.

After creating a model based on the above, the researchers found 34 XS-Leaks, 14 of which were new (marked with a plus sign below).

All XS-Leaks identified in the study.
All XS-Leaks identified in the study.
Source: XSinator

Next, they tested the 34 XS-Leaks against 56 browser and operating system combinations to determine how vulnerable each one was.

Next, they built a web application called XSinator, consisting of three components:

  1. A test site that acts as the attacker’s page, implementing known and new X-Leaks
  2. A vulnerable web application that simulates the behavior of a state-dependent resource.
  3. A database containing all previous test results.

You can visit the XSinator page yourself and run the test to see how well your web browser and operating system perform against the 34 X-Leaks.

Test with the latest version of Google Chrome
Test with the latest version of Google Chrome
Source: BleepingComputer

Below you can find a full list of XS leaks that various browsers are vulnerable to:

Examples of team assessment results
Examples of team assessment results
Source: XSinator

How to Defend Against X-Leaks

Mitigating or addressing the risks that arise from these side-channel attacks must be addressed by browser developers.

The researchers suggest denying all event handler messages, minimizing occurrences of error messages, applying global limit restrictions, and creating a new history property when the redirect occurs.

Other effective mitigation methods use X-Frame-Options to prevent iframe elements from loading HTML resources and implement the CORP header to control whether pages can embed a resource.

“COIU, also known as First Party Isolation (FPI), is an optional security feature that users can enable in FF’s Expert Settings (about:config) and was originally introduced in the Tor Browser. ” – from the paper.

One of the participating researchers, Lukas Knittel, told Bleeping Computer the following:

“According to the website, XS-Leaks can have a serious impact on users. Users can use an up-to-date browser that allows them to disable third-party cookies. This would protect against most XS-Leaks, even when the site Web does not implement new mitigations such as COOP, CORP, SameSite Cookies, etc.” – Knitting.

The researcher also said he informed the web browser’s development teams about their findings, which now resolve the various issues. The problems have already been fixed in the versions currently available in some cases.

As for future work, the team believes that new browser features are constantly adding new potential XS-Leak opportunities, so this is an area of ​​constant interest.

Also, Knittel told us that they might explore developing a website analytics tool, but for now they want to focus on determining how common these flaws are in websites around the world. real.