Browser Bug Exposes User Data in Top Websites, NJIT Researchers Find
An unpatched security bug in most web browsers allows hackers to monitor specific site visitors and leave scarce evidence of a digital trail, researchers with New Jersey Institute of Technology revealed.
The bug can be exploited with well-crafted code that can, for example, wait for a targeted person to view an embarrassing website, record data about their clicks and share that data with those who wish to use it against the visitor.
"We basically introduce new attacks that seek to achieve deanonymization on the web," explained Reza Curtmola, professor of computer science affiliated with NJIT's Cybersecurity Research Center, whose team discovered the bug by using an established technique.
"There are certain categories of Internet users who may actually be significantly affected, for example, people who organize and participate in political protests, or journalists that are reporting on some inconvenient topics, maybe people who network with some of their fellow members of a minority group," Curtmola observed.
The technique examines data in what's known as a leaky resource attack. When browsers receive requests from media services such as YouTube, information flows through what's called the processor side channel, where there is rarely sufficient protection from eavesdroppers. All the attackers need to know is some identifying piece of information about their target, such as the target's email address or Twitter handle, to execute such an attack. The attack can take as little as three seconds to execute. It has been tested on popular browsers including Chrome, Firefox, Safari and even the high-security Tor, along with media-centric websites including Facebook, Instagram, LinkedIn, Reddit, Tiktok, Twitter and YouTube.
It's unknown whether anyone has fallen victim to such an attack, but smart criminals would only use the method sparingly and for high-value individuals. It could also be used by law enforcement to catch criminals, such as identifying the users of a Dark Web forum where illegal activity is discussed.
"Think about the case of a law enforcement agency who has covertly taken control of an underground extremist forum. And so then this agency wants to identify the users of this forum but cannot do it by default because these people may use pseudonyms to connect. But the agency has also gathered a list of Facebook accounts who are suspected to be users of this forum, and then using this type of attack that we introduce, the law enforcement agency would be able to cross reference the pseudonyms on this forum with the list of potential suspects based on their Facebook handle."
Considering the good and bad potential applications, "I don't know if it's a good or bad thing, but some people may view this as a serious breach of privacy," Curtmola continued. The attack even works in the Tor browser, which is advertised as more secure than mainstream browsers.
Curtmola alerted the developers of Google Chrome, Apple Safari and Mozilla Firefox — which together represent almost 90% of all installed browsers on personal computers — but that happened early this year, and not much has been done to fix the problem. The problem is hard to fix, he said, and developers at major websites aren't yet convinced of how to do so. It could involve changing some of the web's technical standards, which is a slow process. It could also involve shared responsibility between browsers and media websites, where suspicious requests raise alerts.
In the meantime, Curtmola's team built a free extension for Chrome and Firefox that checks for side-channel communications, alerts users and asks them how to proceed. The extension is called Leakuidator+ and is already available.
Curtmola and collaborators will present their research August 11 at the prestigious USENIX computer security conference in Boston.
