"History sniffing" promises a nose full of dust or, you're talking about web browsers, a whiff of the websites you've visited.
And that may be enough to compromise your privacy and expose data that allows miscreants to target you more effectively with tailored attacks. For example, a phishing gambit that attempts to simulate your bank login page has a better chance of success if it presents the web page for a bank where you actually have an account.
In August, at the 2018 USENIX Workshop on Offensive Technologies (WOOT), security researchers from Stanford University and UC San Diego described four novel attack techniques designed to reveal the browsing histories of internet users.
CSS page disclosure risks first surfaced in 2002. Though addressed in later years through browser code changes, the issue has resurfaced thanks to evolving web APIs.
Google, given advance noticed by the researchers, fixed the most serious of flaws (CVE-2018-6137) in Chrome 67 back in May. The vulnerability allowed an attacker to determine whether or not a link had been visited by using the CSS Paint API to check if a "paint" method – used to change the color of visited links – had been invoked. The technique allowed an attacker to probe for visited links at a rate of about 3,000 per second.
But three of the vulnerabilities remain. In an email to The Register, Deian Stefan, assistant professor in the UCSD computer science and engineering department, confirmed as much, though he said the flaws are timing side channel attacks, which makes them considerably less severe than the CSS Paint API attack.
Stefan and his colleagues say Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer, and Brave are all affected to some extent. Those who favor the Tor browser are immune to these attacks since Tor doesn't store a user's browser history.
The 3D transform attack, for example involves stacking a series of 3D transforms on top of other CSS effects in order to create a link that's difficult to render. By switching the link back and forth between two different destination URLs, in conjunction with the
Deian said the remaining browser history attacks are being discussed by developers involved with the World Wide Web Consortium (W3C). "We've also been talking with Firefox and Chrome folks about doing measurements to see what impact this fix may have on existing sites," he said.
As a defense, the researchers have suggested that browser makers adopt a same-origin-style policy to cover all persistent data, similar to the same-origin policy that restricts scripts to specific domains.
The Register asked Brave, Google, and Mozilla for comment but we've not heard back. ®