Researchers uncovered 14 new forms of cross-site data leakage threats against Tor Browser, Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and Opera, among other current web browsers.
The browser flaws collectively called “XS-Leaks,” allow a malicious website to collect personal data from its users. At the same time, they interact with other websites in the background without their awareness. The findings come from a group of scientists from Ruhr-Universität Bochum (RUB) and Niederrhein University, who conducted a detailed investigation of cross-site attacks.
According to the researchers, XS-Leaks circumvent the so-called same-origin policy, which is one of a browser’s key defenses against various forms of attacks. A same-origin policy is in place to prevent information from being stolen from a reputable website. Attackers can still recognize particular, minor features of a website in the case of XS-Leaks. If these facts are linked to personal information, such data may be leaked.
The cross-site bugs are caused by side channels built into the web platform, allowing an attacker to collect information from a cross-origin HTTP resource. They affect a variety of popular browsers, including Tor, Chrome, Edge, Opera, Safari Firefox, and Samsung Internet, and they affect Windows, macOS, iOS, and Android.
While websites cannot directly access data (i.e., read server responses) on other websites due to same-origin restrictions, an infamous online portal can try to load a specific resource or an API endpoint from a website, such as an online banking website, on the user’s browser and draw inferences about the victim’s transaction history. Timing-based side-channels or speculative execution attacks like Spectre and Meltdown might also be the source of the leak.
The researchers suggest that as mitigation, all event handler messages be denied, error message occurrences are minimized, global limit limitations be applied, and a new history property is created when redirection happens. Turning on first-party isolation and Enhanced Tracking Prevention in Firefox has been found to reduce the applicability of XS-Leaks on the end-user side. Safari’s Intelligent Tracking Prevention, which by default bans third-party cookies, also eliminates any leaks that aren’t caused by a pop-up.
