An anonymous reader quotes a report from Motherboard: Most modern browsers — such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) — have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego. What’s worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user’s internet history.
The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there’s a different set of rules and style that apply to links depending on whether they’ve been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by “sniffing,” or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you’ve visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a “bytecode cache,” which speeds up the loading time for revisiting a link that you’ve already visited. “By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you’ve visited it or not,” reports Motherboard. “Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as “security-sensitive” but “low-priority.”
of this story at Slashdot.
Source:: Slashdot