“Given enough time, this can be improved,” he said. “Eventually, someone will start abusing it.”
Stone, who demonstrated the technique in a talk at the Black Hat USA 2013 conference here, thought there might be a way to exploit that difference, so he wrote some code that measures how long it takes for each link on a page to be drawn. Using that technique, he found that he could determine which links had been visited on a user’s browser.
“When the browser draws the links the first time, the first frame will always be slow. If the link is un-visited the rest of the frames will be much faster,” he said. “If it’s been visited, you’ll see some more slow frames later on.”
“There’s nothing to patch. There is actually nothing specific that can be individually fixed to prevent this,” said Robert Hansen, a security researcher and director of product management at WhiteHat Security. “It’s a really, really bad one.”
“In the real world, I could get the user onto the page, wait until the browser is idle and then do this in the background,” Stone said. “There’s all kinds of stuff in the source.”
The technique could be used in any number of attack scenarios, Hansen said, including targeted attacks against specific corporate or government users or in a large-scale attack using malicious ads or other content on a compromised site.
Firefox has fixed the pixel-reading issue, but Chrome is still vulnerable.