Scientists have discovered four new techniques to expose internet users’ browsing histories, which could be used by hackers to learn which websites they have visited. The techniques fall into the category of “history sniffing” attacks, a concept dating back to the early 2000s.
However, the attacks demonstrated by the researchers from the University of California – San Diego in the US can profile or ‘fingerprint’ a user’s online activity in a matter of seconds, and work across recent versions of major web browsers.
All of the attacks the researchers developed worked on Google Chrome.
Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers.
only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place, researchers said.
“My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data, and I’m happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this,” said Deian Stefan, an assistant professor at UC San Diego.
Most internet users are by now familiar with “phishing;” cyber-criminals build fake websites which mimic, say, banks, to trick them into entering their login details, researchers said.
The more the phisher can learn about their potential victim, the more likely the con is to succeed, they said.
After conducting an effective history sniffing attack, a criminal could carry out a smart phishing scheme, which automatically matches each victim to a faked page corresponding to their actual bank.
The phisher preloads the attack code with their list of target banking websites, and conceals it in, for example, an ordinary-looking advertisement.
When a victim navigates to a page containing the attack, the code runs through this list, testing or ‘sniffing’ the victim’s browser for signs that it’s been used to visit each target site.
When one of these sites tests positive, the phisher could then redirect their victim to the corresponding faked version.
The faster the attack, the longer the list of target sites an attacker can ‘sniff’ in a reasonable amount of time.
The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers’ online activity.
Criminals could put this sensitive data to work in a number of ways besides phishing: for example, by blackmailing users with embarrassing or compromising details of their browsing histories.
History sniffing can also be deployed by legitimate, yet unscrupulous, companies, for purposes like marketing and advertising, researchers said.
The code can observe these differences — for example, the time an operation takes to execute or the way a certain graphic element is handled — to collect the computer’s browsing history.
To design the attacks, researchers exploited features that allow programmers to customise the appearance of their web page — controlling fonts, colours, backgrounds, and so forth — using Cascading Style Sheets (CSS), as well as a cache meant to improve to performance of web code.
The researchers propose a bold fix to these issues: they believe browsers should set explicit boundaries controlling how users’ browsing histories are used to display web pages from different sites.