New CSS Prime+Probe browser attack allows tracking

The attack is able to overcome side-channel defenses in numerous popular browsers and run even when JavaScript is disabled.

java

java

Academics from Ben-Gurion University of the Negev, the University of Michigan, and the University of Adelaide have recently published research on a new side-channel that can be used to leak details from popular web browsers and can allow hackers to track users even when JavaScript is totally disabled.

According to the findings of the above-mentioned group of academics, the newly discovered side-channel attack needs no JavaScript to run and cannot be stopped by script blockers. The malicious actors who are using this attack can achieve their goal even if all enjoyable web surfing experiences are blocked in the browser. What makes the attack even more problematic is the fact that it cannot be prevented without applying significant changes in deep sections of the operating system.

Described as “CSS Prime+Probe”, this side-channel attack is based entirely on HTML and CSS and is able to operate not only on regular browsers, but also in hardened browsers like Tor, Chrome Zero, and DeterFox, that have a totally disabled JavaScript or a restricted resolution of the timer API.

The academics that are researching this attack explain that the accuracy achieved by CSS Prime+Probe is sufficient to leak data that malicious actors can effectively use to identify and track users.

How do side-channel attacks work?

In order to gain access to sensitive data on a given device without using JavaScript, side-channel attacks usually focus on collecting indirect data such as timing, sound, electromagnetic emissions, vibrations, cache, and power consumption. Microarchitectural side-channel attacks, in particular, collect secret data like cryptographic keys by utilizing the shared use of a processor’s components across code executing in different protection domains.

Side-channels that don’t rely on JavaScript may involve microarchitectural website fingerprinting attacks that operate through hardware platforms such as Intel Core, Samsung Exynos 2100, AMD Ryzen, and even Apple M1 CPUs,  making them the first documented side-channel attacks on the latest Apple ARM chipsets.

A lot of popular browsers have built-in protections to defend against fingerprinting and timing attacks by decreasing the accuracy of time-measuring, as well as adding support for JavaScript disabling through additional features like NoScript.

The newly reported attack, discovered by the Ben-Gurion researchers, however, targets popular browsers through a cache-based side-channel. This approach allows the attack to bypass the browser’s defense mechanisms.

 


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment