Browsing History Can Be Stolen Despite Current Defenses, Expert Demonstrates
Stealing browsing history is still possible despite defenses currently implemented in browsers, according to Google security engineer and vulnerability researcher Michal Zalewski.
History theft is a type of attack that can expose what websites users have visited in the past by determining how their browsers display links to them. By default, all browsers display previously visited links differently than non-visited links, due to definitions in their internal Cascading Style Sheets (CSS).
CSS-based history theft not only violates the privacy of the victims, but can actually assist hackers in performing other, more serious, attacks. For example, a phisher could use this method to determine what banking websites victims have visited and then pose as those institutions.
"In the past few years, browser vendors have severely crippled CSS :visited selectors in order to prevent CSS-based history snooping that made the headlines not long ago," Zalewski said in a blog post. However, other methods of extracting browsing history information without relying on CSS exist.
One such technique is to calculate how fast certain websites are rendered by the user's browser and using the results to determine if they were loaded from the cache. In order to be in the browser's cache, a page needs to have been visited at some point.
While possible in theory, cache timing attacks were considered impractical because they were slow, visible to the victim, and impossible to execute more than once. However, that's no longer the case, according to Zalewski, who devised a proof-of-concept, cache-based history stealing attack that overcomes most of those limitations.
"My proof of concept is fairly crude, and will fail for a minority of readers; but in my testing, it offers reliable, high-performance, non-destructive cache inspection that blurs the boundary between :visited and all the 'less interesting' techniques," the security researcher said.
Zalewski's research serves as a warning to browser vendors that alternative history snooping methods should not be forgotten just because at some point in time no one was capable to provide a reliable and practical implementation.