LAS VEGAS–Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing attacks and other tactics to read any information he wants from a targeted user’s browser and sites the victim is logged into. The attack works on all of the major browsers and researchers say there’s no simple fix to prevent it.
The technique uses some known problems with browsers and JavaScript, but also hinges on some new issues that, when used in combination, can allow an attacker to get access to the source code on any Web page a user is logged into. That source could include all kinds of sensitive information, such as user IDs and personal information. Paul Stone, the researcher who developed the technique, said that he doesn’t think it will be long before attackers improve on his technique and begin using it.
“Given enough time, this can be improved,” he said. “Eventually, someone will start abusing it.”
One piece of what Stone found is similar to the old browser history sniffing attacks that allow an attacker to see which sites a user has visited. Using a special technique, he slowed down the frame rate of his browser to see how it renders certain pages. He noticed that when the JavaScript on the page requested the animation frames, it will slow down when the animation is complex. That allowed him to measure the frame rate, and he then discovered that when the browser draws a hyperlink on a page there is a difference in how long it takes to draw a visited link and an un-visited one. Essentially, the browser draws the link as un-visited and then makes a database query to see whether the user has visited the link. If so, it then redraws the link as visited.
Stone, who demonstrated the technique in a talk at the Black Hat USA 2013 conference here, thought there might be a way to exploit that difference, so he wrote some code that measures how long it takes for each link on a page to be drawn. Using that technique, he found that he could determine which links had been visited on a user’s browser.
“When the browser draws the links the first time, the first frame will always be slow. If the link is un-visited the rest of the frames will be much faster,” he said. “If it’s been visited, you’ll see some more slow frames later on.”
“There’s nothing to patch. There is actually nothing specific that can be individually fixed to prevent this,” said Robert Hansen, a security researcher and director of product management at WhiteHat Security. “It’s a really, really bad one.”
Using that technique, an attacker can get access to a victim’s browsing history, Stone said. The second part of what Stone found is much more worrisome. He found that using Scalable Vector Graphics filters on certain parts of a given Web page allowed him to see exactly what a user was looking at in a browser window. Stone discovered that by applying one specific filter, he could tell which pixels are white and which are black. Using JavaScript, he found that he can apply this technique to every pixel in a given iframe and reconstruct what’s in the iframe.
Stone said that using the JavaScript code he also can force the browser to show the source code of the page that the user is on, using the view-source method. Depending upon the page that the user is visiting, that code could include a user ID or other sensitive data. In a demo of the technique, Stone showed the source of a target Google+ page that included a phone number, Google ID and other information.
“In the real world, I could get the user onto the page, wait until the browser is idle and then do this in the background,” Stone said. “There’s all kinds of stuff in the source.”
The technique could be used in any number of attack scenarios, Hansen said, including targeted attacks against specific corporate or government users or in a large-scale attack using malicious ads or other content on a compromised site.
Firefox has fixed the pixel-reading issue, but Chrome is still vulnerable.