LAS VEGAS–Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing attacks and other tactics to read any information he wants from a targeted user’s browser and sites the victim is logged into. The attack works on all of the major browsers and researchers say there’s no simple fix to prevent it.

The technique uses some known problems with browsers and JavaScript, but also hinges on some new issues that, when used in combination, can allow an attacker to get access to the source code on any Web page a user is logged into. That source could include all kinds of sensitive information, such as user IDs and personal information. Paul Stone, the researcher who developed the technique, said that he doesn’t think it will be long before attackers improve on his technique and begin using it.

“Given enough time, this can be improved,” he said. “Eventually, someone will start abusing it.”

One piece of what Stone found is similar to the old browser history sniffing attacks that allow an attacker to see which sites a user has visited. Using a special technique, he slowed down the frame rate of his browser to see how it renders certain pages. He noticed that when the JavaScript on the page requested the animation frames, it will slow down when the animation is complex. That allowed him to measure the frame rate, and he then discovered that when the browser draws a hyperlink on a page there is a difference in how long it takes to draw a visited link and an un-visited one. Essentially, the browser draws the link as un-visited and then makes a database query to see whether the user has visited the link. If so, it then redraws the link as visited.

Stone, who demonstrated the technique in a talk at the Black Hat USA 2013 conference here, thought there might be a way to exploit that difference, so he wrote some code that measures how long it takes for each link on a page to be drawn. Using that technique, he found that he could determine which links had been visited on a user’s browser.

“When the browser draws the links the first time, the first frame will always be slow. If the link is un-visited the rest of the frames will be much faster,” he said. “If it’s been visited, you’ll see some more slow frames later on.”

“There’s nothing to patch. There is actually nothing specific that can be individually fixed to prevent this,” said Robert Hansen, a security researcher and director of product management at WhiteHat Security. “It’s a really, really bad one.”

Using that technique, an attacker can get access to a victim’s browsing history, Stone said. The second part of what Stone found is much more worrisome. He found that using Scalable Vector Graphics filters on certain parts of a given Web page allowed him to see exactly what a user was looking at in a browser window. Stone discovered that by applying one specific filter, he could tell which pixels are white and which are black. Using JavaScript, he found that he can apply this technique to every pixel in a given iframe and reconstruct what’s in the iframe.

Stone said that using the JavaScript code he also can force the browser to show the source code of the page that the user is on, using the view-source method. Depending upon the page that the user is visiting, that code could include a user ID or other sensitive data. In a demo of the technique, Stone showed the source of a target Google+ page that included a phone number, Google ID and other information.

“In the real world, I could get the user onto the page, wait until the browser is idle and then do this in the background,” Stone said. “There’s all kinds of stuff in the source.”

The technique could be used in any number of attack scenarios, Hansen said, including targeted attacks against specific corporate or government users or in a large-scale attack using malicious ads or other content on a compromised site.

Firefox has fixed the pixel-reading issue, but Chrome is still vulnerable.

Categories: Vulnerabilities, Web Security

Comments (7)

  1. Mark

    Sure there’s a simple fix… when you are about to visit a website that may have confidential information about you, manually open up a new tab or window for the page to load into first… and when you are done, close that tab or window. If the site you are using is practicing even very trivial security practices, any alleged malicious javascript that may be running on another page that is opened in some other tab or window of the browser will not be able to access the data in the new tab or window.

  2. David

    Fortunately the article (or the researcher) is incorrect in saying there is nothing that can be done about the visited link exposure issue. I can think of a dozen ways to mask the time difference in visited vs. unvisited links.

  3. Lonny Eachus

    Utter nonsense. The link-drawing-speed issue is due to an OPTIMIZATION in web browsers: they draw the page first, to get the visual layout in place, then look up the links (which are already drawn).

    There IS a very simple fix for this: do the database lookup for all the links before ever drawing them. And as for the speed difference for the cached lookup: don’t cache the lookup. It really is that simple.

    Someone might protest that this would slow down rendering, and that is true. But it is also beside the point. There *IS* a very simple fix for this.

  4. Ryan Volpe

    This is… fairly sad from these so-called “experts,” or at least poorly quoted.

    Sorry, Mr. Hansen, the same exact fix is possible on this as any other timing attack: put the processed data (in this case, frames) in a queue that is polled at a fixed rate. No observable time deltas, no feasible timing attack. It’s called “buffering,” and the implication of protection is not accidental.

    The really sad part is that this article conflates what appears to be three unrelated attacks solely because they were reported by the same researcher.

  5. Felix Luk

    Ho hum…another so called browser vulnerability that is just a beefed up phishing attack. It can easily be defeated by standard anti-phishing measures.

  6. DeJon Adams

    I’d have to agree with Felix here…the proper use of security measures prevent all of this

    These problems are solved by proper use of Extended Validation (EV) SSL certificates for authentication. Moving certificate-based enterprise authentication to EV SSL would therefore protect an organization against this form of attack.

Comments are closed.