Researchers have discovered 14 new types of cross-site data leakage attacks against a number of modern web browsers, including Tor Browser, Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari, and Opera, among others.
Collectively known as “XS-Leaks,” the browser bugs enable a malicious website to harvest personal data from its visitors as they interact with other websites in the background without the targets’ knowledge. The findings are the result of a comprehensive study of cross-site attacks undertaken by a group of academics from Ruhr-Universität Bochum (RUB) and Niederrhein University.
“XS-Leaks bypass the so-called same-origin policy, one of a browser’s main defences against various types of attacks,” the researchers said in a statement. “The purpose of the same-origin policy is to prevent information from being stolen from a trusted website. In the case of XS-Leaks, attackers can nevertheless recognize individual, small details of a website. If these details are tied to personal data, those data can be leaked.”
Stemming from side-channels built into the web platform that permits an attacker to gather this data from a cross-origin HTTP resource, the cross-site bugs impact an array of popular browsers such as Tor, Chrome, Edge, Opera, Safari Firefox, Samsung Internet, spanning across different operating systems Windows, macOS, Android, and iOS.
The new class of vulnerabilities is also different from a cross-site request forgery (CSRF) attack in that unlike the latter, which exploits a web application’s trust in a browser client to execute unintended actions on behalf of the user, they can be weaponized to infer information about a user.
“They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation,” the researchers explained. “XS-Leaks take advantage of small pieces of information which are exposed during interactions between websites […] to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to.”
images from Hacker News