IT Security 14 new attacks on web browsers detected

Using so-called XS-Leaks, personal data can be accessed on the web. Many browsers are affected.

IT security experts have identified 14 new types of attacks on web browsers that are known as cross-site leaks, or XS-Leaks. Using XS-Leaks, a malicious website can grab personal data from visitors by interacting with other websites in the background. The researchers from Ruhr-Universität Bochum (RUB) and Niederrhein University of Applied Sciences tested how well 56 combinations of browsers and operating systems are protected against 34 different XS-Leaks. To this end, they developed the website XSinator.com, which allowed them to automatically scan browsers for these leaks. Popular browsers such as Chrome and Firefox, for example, were vulnerable to a large number of XS-Leaks. “XS-Leaks are often browser bugs that have to be fixed by the manufacturer,” says Lukas Knittel, one of the Bochum authors of the paper.

The researchers published their findings online and at the “ACM Conference on Computer and Communications Security”, which was held as a virtual event in mid-November 2021. At the conference, Lukas Knittel, Dr. Christian Mainka, Dominik Noß and Professor Jörg Schwenk from the Horst Görtz Institute for IT-Security at RUB as well as Professor Marcus Niemietz from the Niederrhein University of Applied Sciences received a Best Paper Award for their study. The study took place within the Cluster of Excellence “CASA – Cyber Security in the Age of Large-Scale Adversaries”.

How XS-Leaks work

XS-Leaks bypass the so-called same-origin policy, one of a browser’s main defences against various types of attacks. The purpose of the same-origin policy is to prevent information from being stolen from a trusted website. In the case of XS-Leaks, attackers can nevertheless recognise individual, small details of a website. If these details are tied to personal data, those data can be leaked. For example, emails in a webmail inbox could be read from a malicious site, because the search function would respond in a different way depending on whether there were results for a search term or not.

Systematic search for new attacks

In order to systematically analyse XS-Leaks, the group first identified three characteristics of such attacks. Based on these, they then derived a formal model that, for one thing, aids in understanding XS-Leaks and, for another, helps in detecting new attacks. As a result, the researchers identified 14 new attack categories.

Funding

The German Research Foundation funded the research under the umbrella of the Cluster of Excellence CASA (EXC 2092 – 39078197). Additional funding was supplied by the German Federal Ministry for Economic Affairs and Energy as part of the “Industrie 4.0 Recht-Testbed” project (funding code 13I40V002C) and by the European Regional Development Fund of the Land of North Rhine-Westphalia (EFRE.NRW) as part of the “MITSicherheit.NRW” project.

Original publication

Lukas Knittel, Christian Mainka, Markus Niemietz, Dominik Trevor Noß, Jörg Schwenk: XSinator.com: From a formal model to the automatic evaluation of Cross-Site Leaks in web browsers, ACM Conference on Computer and Communications Security (ACM CCS), 2021, Online-Konferenz, Paper-Download

Press contact

Lukas Knitttel
Horst Görtz Institute for IT-Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26725
Email: lukas.knittel@rub.de

Dr. Christian Mainka
Horst Görtz Institute for IT-Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26796
Email: christian.mainka@rub.de

Download high-resolution images
Der Download der gewählten Bilder erfolgt als ZIP-Datei. Bildzeilen und Bildnachweise finden Sie nach dem Entpacken in der enthaltenen HTML-Datei.
Nutzungsbedingungen
Die Verwendung der Bilder ist unter Angabe des entsprechenden Copyrights für die Presse honorarfrei. Die Bilder dürfen ausschließlich für eine Berichterstattung mit Bezug zur Ruhr-Universität Bochum verwendet werden, die sich ausschließlich auf die Inhalte des Artikels bezieht, der den Link zum Bilderdownload enthält. Mit dem Download erhalten Sie ein einfaches Nutzungsrecht zur einmaligen Berichterstattung. Eine weitergehende Bearbeitung, die über das Anpassen an das jeweilige Layout hinausgeht, oder eine Speicherung der Bilder für weitere Zwecke, erfordert eine Erweiterung des Nutzungsrechts. Sollten Sie die Fotos daher auf andere Weise verwenden wollen, kontaktieren Sie bitte redaktion@ruhr-uni-bochum.de

Published

Thursday
02 December 2021
10:16 am

By

Julia Weiler (jwe)

Translated by

Donata Zuber

Share