A new type of cyberattack allows us to monitor the websites we visit even by disabling JavaScript in the browser

According to an academic 'paper' produced by scientists from the US, Australia and Israel and published earlier this week, it is feasible to use a web browser to track users ... even when they have JavaScript completely disabled.

This novel attack technique falls into the category of side channel attacks, which allow to exploit complex factors of the hardware of our equipment to infer confidential information, analyzing -for example- the electrical radiation of a hard disk.

In the present case, they have developed a method to filter information from web browsers using only HTML and CSS code, which not only makes it cross-platform, but also allows you to attack even browsers with reinforced security such as Tor Browser.

Increasingly complex cyberattacks

This method, dubbed CSS Prime + Probe, shows a website whose code includes a variable that saturates the cache (for example, giving a DIV element a class name with several million characters) and then performs a search for a short substring that does not exist in said text, which forces to scan the full name.

What are 'supercookies', the new systems for monitoring our navigation for which there is no delete button

The goal of this is know the time spent by the system to complete this search operation, which they can know thanks to the fact that just before and after the same DNS resolution requests are carried out to access CSS elements hosted on an online server owned by the attackers.

After testing this technique on computers that had been attacked while accessing a large number of different websites in parallel, the data collected was used by the academic creators of this attack to train a deep neural network model that identifies a specific set of websites visited by a target.

Though similar JavaScript-based attacks (like the ones in canvas firgerprinting) offer much higher precision, according to the study, the precision achieved by this new technique is high enough to filter data that could allow attackers to identify and track users. And it also has the advantage of false sense of security of users who believe they have taken sufficient action by disabling JavaScript.

In fact, the Google Chrome developer team has already stated in the past that, despite their own pioneering work on cache partitioning (reserving separate spaces for different websites), side channel attacks cannot - for now - be completely blocked within browsers.

In fact, in a working document released by the W3C this month, Google engineers already anticipated that side channel attacks would evolve beyond JavaScript and they could be carried out only through CSS.

Via | The Hacker News

© Best Of Giz India. All rights reserved. Distributed by . Distributed by