Google security researcher: Browsing history can be stolen despite current defenses

Google security engineer demonstrates a reliable way of stealing browsing history using cache timings

Stealing browsing history is still possible despite defenses currently implemented in browsers, according to Google security engineer and vulnerability researcher Michal Zalewski.

History theft is a type of attack that can expose what websites users have visited in the past by determining how their browsers display links to them. By default, all browsers display previously visited links differently than non-visited links, due to definitions in their internal Cascading Style Sheets (CSS).

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

CSS-based history theft not only violates the privacy of the victims, but can actually assist hackers in performing other, more serious, attacks. For example, a phisher could use this method to determine what banking websites victims have visited and then pose as those institutions.

"In the past few years, browser vendors have severely crippled CSS :visited selectors in order to prevent CSS-based history snooping that made the headlines not long ago," Zalewski said in a blog post. However, other methods of extracting browsing history information without relying on CSS exist.

One such technique is to calculate how fast certain websites are rendered by the user's browser and using the results to determine if they were loaded from the cache. In order to be in the browser's cache, a page needs to have been visited at some point.

While possible in theory, cache timing attacks were considered impractical because they were slow, visible to the victim, and impossible to execute more than once. However, that's no longer the case, according to Zalewski, who devised a proof-of-concept, cache-based history stealing attack that overcomes most of those limitations.

"My proof of concept is fairly crude, and will fail for a minority of readers; but in my testing, it offers reliable, high-performance, non-destructive cache inspection that blurs the boundary between :visited and all the 'less interesting' techniques," the security researcher said.

Zalewski's research serves as a warning to browser vendors that alternative history snooping methods should not be forgotten just because at some point in time no one was capable to provide a reliable and practical implementation.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies