Abstract
In this work, we present a Flow Stealing attack, where a victim’s browser is redirected during a legitimate flow. One scenario is redirecting the victim’s browser as it moves from a store to a payment provider. We discuss two attack vectors.
Firstly, browsers have long admitted an attack allowing a malicious web page to detect whether the browser has visited a target web site by using CSS to style visited links and read out the style applied to a link. For a long time, this CSS history detection attack was perceived as having small impact. Lately, highly efficient implementations of the attack have enabled malicious web sites to extract large amounts of information. Following this, browser developers have deployed measures to protect against the attack. Flow stealing demonstrates that the impact of history detection is greater than previously known.
Secondly, an attacker who can mount a man-in-the-middle attack against the victim’s network traffic can also perform a flow stealing attack.
Noting that different browsers place different restrictions on cross-frame navigation through JavaScript window handles, we suggest a stricter policy based on pop-up blockers to prevent Flow Stealing attacks.
Chapter PDF
Similar content being viewed by others
References
Janc, A., Olejnik, L.: Web Browser History Detection as a Real-World Privacy Threat. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 215–231. Springer, Heidelberg (2010)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security, pp. 75–88. ACM, New York (2008)
Raskin, A.: Tabnabbing: A new type of phishing attack, http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting javascript. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) ASIACCS, pp. 47–60. ACM, New York (2009)
Ruderman, J.: Bug 57351 - css on a:visited can load an image and/or reveal if visitor been to a site, https://bugzilla.mozilla.org/show_bug.cgi?id=57351
W3C: Cascading style sheets level 2 revision 1 (CSS 2.1) specification, http://www.w3.org/TR/CSS2/
Anonymous: Did you watch porn (2010), http://www.didyouwatchporn.com/
Janc, A., Olejnik, L.: What the internet knows about you (2010), http://www.wtikay.com/
Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users. In: IEEE Symposium on Security and Privacy, pp. 223–238. IEEE Computer Society, Los Alamitos (2010)
Jakobsson, M., Stamm, S.: Invasive browser sniffing and countermeasures. In: Carr, L., Roure, D.D., Iyengar, A., Goble, C.A., Dahlin, M. (eds.) WWW, pp. 523–532. ACM, New York (2006)
Kennedy, N.: Sniff browser history for improved user experience (2008), http://www.niallkennedy.com/blog/2008/02/browser-history-sniff.html
Jakobsson, M., Juels, A., Ratkiewicz, J.: Remote harm-diagnostics, http://www.ravenwhite.com/files/rhd.pdf
Baron, L.D.: Preventing attacks on a user’s history through CSS :visited selectors, http://dbaron.org/mozilla/visited-privacy
Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer. In: IEEE Symposium on Security and Privacy (2011)
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from DNS rebinding attacks. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security, pp. 421–431. ACM, New York (2007)
Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: ACM Conference on Computer and Communications Security, pp. 25–32 (2000)
Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: A measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track, pp. 261–266. USENIX (2006)
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52, 83–91 (2009)
Chen, R.: The internet explorer pop-up blocker follows guidelines, not rules, http://blogs.msdn.com/b/oldnewthing/archive/2007/08/31/4656351.aspx
Butler, E.: Firesheep, http://codebutler.com/firesheep
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kreitz, G. (2011). Timing Is Everything: The Importance of History Detection. In: Atluri, V., Diaz, C. (eds) Computer Security – ESORICS 2011. ESORICS 2011. Lecture Notes in Computer Science, vol 6879. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23822-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-23822-2_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23821-5
Online ISBN: 978-3-642-23822-2
eBook Packages: Computer ScienceComputer Science (R0)