BugTraq
Boolean algebra and CSS history theft Jun 24 2014 07:14AM
Michal Zalewski (lcamtuf coredump cx)
OK, this is more fun than any immediate risk...

Those of you who follow web security topics probably remember that
until mid-2010, you could extract very substantial chunks of one's
browsing history by applying distinctive styling to thousands of
off-screen :visited links and then reading that information back
through the getComputedStyle API or in a couple of related ways.

This loophole has been closed by making it practically impossible to
programmatically measure any side effects of the styling applied to
:visited links (spare for some relatively wonky redraw timing
attacks). The information could be read back only with user's
assistance, which seemed much less interesting for two reasons:

1) It is relatively difficult to come up with really compelling,
casual interactions where the user would unwittingly divulge styling
information on specially prepared links to a rogue website,

2) Even if you could come up with such an attack, you would be limited
to probing roughly one visited link per click, so the throughput would
be very low.

Few months ago, I published a whimsical PoC showing that the first
assumption may be somewhat short-sighted. True to my lifelong dream of
becoming a fabulously wealthy game developer, I created this
low-grade, knock-off version of Asteroids:

http://lcamtuf.coredump.cx/yahh/

Today, I wanted to show an equally silly but less entertaining
proof-of-concept that touches on the latter topic. The PoC shows how
to measure the state of multiple links - possibly a dozen or so - with
a single casual click:

http://lcamtuf.coredump.cx/css_calc/

The PoC is based on carefully constructing Boolean operators with the
extremely rudimentary subset of CSS permitted for :visited links. I
don't want to spoil it all, but you can pull it off in a somewhat
funny way. There is no game included; I was going to have a logo for
this vulnerability instead, but my publicist didn't deliver (again).

Cheers,
/mz

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus