This JavaScript code could spy on browser tabs to find out what sites the user visits


Even the Tor browser can be monitored with this malicious code

Specialists in digital forensics and information security have revealed a new side channel attack technique that bypasses the privacy defenses of any browser, according to them; even the Tor browser is vulnerable to this attack vector. As a result, malicious JavaScript in a tab in your web browser may spy other open tabs to determine which websites the user visits.

According to the experts in digital forensics, this data could be used to carry out specially targeted advertising campaigns to the user, in addition to collecting relevant information of the user to delimit a profile, to store the information and use it for future references.

Researchers Yossi Oren and Yuval Yarom have depicted a processor cache-based website fingerprinting attack that uses JavaScript to collect data and identify any visited website.

“We have demonstrated an attack method that could compromise the ‘user’s secrets’, the attack is able to discover which websites a user visits; this may reveal highly confidential information, such as user’s sexual orientation, religious beliefs, political preferences, health conditions, etc.,” mention the digital forensics experts Yossi Oren (from Ben-Gurion University in Israel) and Yuval Yarom (University of Adelaide, Australia) in a recently published security notice.

This attack vector may not be as serious as a remote attack technique, such as arbitrary code execution, but researchers believe that there may be ways in which this technique can be adapted to compromise computer secrets as encryption keys or vulnerable software. Tor browser users, for example, could face serious consequences if they are victims of this attack thinking their searches are kept secret.

A side-channel (or transient-execution) attack involves monitoring a part of a computer system to collect indicators that can be used to guess highly confidential information. Spectre, Meltdown and Foreshadow vulnerabilities (revealed this year) could be exploited through this type of techniques.

The specialists commented that this attack works at the most fundamental levels. “It works in places where Spectre cannot function (for example, through process limits), and patches crafted against Spectre cannot stop it,” they said.

One of the methods used to mitigate these attacks is by limiting access to high-precision timers, by which data from side channels can be collected. For example, when Spectre and Meltdown flaws were discovered, Mozilla reported that it would disable or reduce the accuracy of time sources in Firefox, the company’s browser.

But this new browser fingerprinting technique does not need a high-precision timer because it focuses on the processor’s cache occupancy, as reported by specialists in digital forensics.

“The cache occupancy measures the occupied percentage of the total cache for a specific period of time,” the investigators explained. “The browser uses a lot of memory, because it receives large amounts of data while displaying several outputs on the screen. This means that you use a significant portion of the cache when a page is loaded”.

In addition, this approach does not depend on the cache design, which makes the random cache distribution (a risk mitigation technique) useless against this attack. The attack is also not affected by the defenses against network-based fingerprinting, such as when a browser gets data from its response cache instead of the network or when the network traffic configuration is used.

This attack involves using JavaScript to measure the latency of processor-cache access as websites are loaded. These records are then compared using deep learning techniques in order to identify similarities automatically to establish a visit to a certain website. In other words, it is possible to determine which website someone is visiting by the way their browser accesses the CPU cache while searching and displaying websites on the screen. Malicious JavaScript in a tab can monitor cache access to identify patterns and take records of websites visited by other tabs.

By testing the attack on conventional browsers, researchers were able to accurately classify between 70% and 90% of visited pages, while in Tor, the attack achieved an accuracy of only 47%, but when other data were considered, the accuracy increased to 72%, the researchers said.