Context presents dangerous side effects of new browser features yesterday at Black Hat USA 20131 August 2013: At Black Hat 2013 in Las Vegas yesterday, Paul Stone, a senior consultant at Context Information Security presented details of new vulnerabilities and threats to security and privacy as a result of HTML 5 features in the latest generation of web browsers. His talk entitled, Pixel Perfect Timing Attacks with HTML 5, showed how cross-browser vulnerabilities in Chrome, Internet Explorer and Firefox can be used to access browsing histories and read data from websites after visitors have logged in. A detailed White Paper has also been published today and is available online at
http://contextis.co.uk/research/white-papers/pixel-perfect-timing-attacks-html5/While traditional browser timing attacks involve cache or network timing, it is now possible to use a number of new techniques that perform timing attacks on graphics operations involving CSS and SVG to extract sensitive data from your browser including your browsing history or text from other browser sessions. In effect, hackers can use timing information to read pixels from web pages, allowing them to tell which links have been visited and to read text from other websites.
“While HTML 5 offers developers a range of new features such as improved animation and graphics support, some of these new capabilities have some unexpected side effects with privacy and security implications,” says Context’s Paul Stone.
Context alerted browser vendors as soon as it discovered the vulnerabilities and they are investigating ways in which the timing attacks can be prevented. “Users concerned about these vulnerabilities can mitigate the risks by regularly clearing their browsing history or using private browsing windows to separate their browsing sessions,” adds Stone.
