Browser history re: visited

Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, Deian Stefan
2018 Workshop on Offensive Technologies  
We present four new history sniffing attacks. Our attacks fit into two classical categories-visited-link attacks and cache-based attacks-but abuse new, modern browser features (e.g., the CSS Paint API and JavaScript bytecode cache) that do not account for privacy when handling cross-origin URL data. We evaluate the attacks against four major browsers (Chrome, Firefox, Edge, and IE) and several security-focused browsers (ChromeZero, Brave, FuzzyFox, DeterFox, and the Tor Browser). Two of our
more » ... cks are effective against all but the Tor Browser, whereas the other two target features specific to Chromium-derived browsers. Moreover, one of our visited-link attacks (CVE-2018-6137) can exfiltrate history at a rate of 3,000 URLs per second, an exfiltration rate that previously led browser vendors to break backwards compatibility in favor of privacy. We hope that this work will lead browser vendors to further reconsider the design of browser features that handle privacy-sensitive data.
dblp:conf/woot/SmithDNBS18 fatcat:rbbyjhhrmbcn5lzhgegul4nsqi