Bad timing: New HTML5 trickery lets hackers silently spy on browsers

New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed.

Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data including browsing history or text from other browser sessions.

Paul Stone, a senior consultant at Context, warned that hackers can use this timing information - which can be accurate to millionths of a second - to read the colour of pixels from web pages that are for the user's eyes only: this allows miscreants to painfully reconstruct words and numbers on the pages, determine which links have been visited, and so on.

The timing feature was supposed to enable smooth animation in web pages: requestAnimationFrame() can be used to calculate the time taken to redraw part, or all of, an open web page.

By opening a web page in an iframe, applying filters and measuring the exact time taken to render bits of them, it is possible to work out which pixels are set. Ideally, the victim should not be aware of the iframe shenanigans.

The JavaScript-powered attack breaks cross-origin restrictions that ought to prevent this sort of trickery. Practically speaking, these attacks are tough to pull off, but that doesn't mean browser vendors should ignore the threat, as the Pixel Perfect Timing Attacks with HTML 5 whitepaper by Stone explains:

The new HTML5 requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. Two techniques are demonstrated which use this API to exploit timing attacks against Chrome, Internet Explorer and Firefox in order to infer browsing history and read cross-origin data from other websites. The first technique allows the browser history to be sniffed by detecting redraw events. The second shows how SVG filters can be used to read pixel values from a web page. This allows pixels from cross-origin iFrames to be read using an OCR-style technique to obtain sensitive data from websites.

This paper has demonstrated how a malicious website can use the timing of browser graphics operations to steal sensitive user data. Fortunately for users, timing attacks that are easily demonstrated in a controlled environment can prove tricky to implement reliably in the wild. However, this does not mean that browser vendors should not fix these holes. The basic techniques described in this paper will inevitably be improved upon to increase their speed, reliability and real-world usefulness.

Context has notified Google, Microsoft and Firefox-maker Mozilla about its research. The software giants are reportedly investigating ways in which the timing attacks can be prevented, but there may be a trade off between privacy and browser performance to complicate attempts to resolve the problem.

"Finding and fixing timing attacks is hard," said Stone. "The asynchronous URL lookups and filter optimisations that make these timing attacks possible were intended to increase browser performance. Fixing them could involve a trade-off between privacy and performance."

Mozilla, at least, has partially defended users of its Firefox browser against the lines of attack outlined by Stone's research. "Mozilla has tackled the worst of it in Firefox 22 however there may be some SVG filters that are vulnerable to a lesser degree," he said.

Website owners can protect themselves from the pixel reading attacks by disallowing framing of their sites. The relevant HTTP header is primarily intended to prevent click-jacking attacks.

And web surfers can switch to "incognito mode" private browsing, as a workaround.

“Users concerned about these vulnerabilities can mitigate the risks by regularly clearing their browsing history or using private browsing windows to separate their browsing sessions,” Stone advised. “While HTML 5 offers developers a range of new features such as improved animation and graphics support, some of these new capabilities have some unexpected side effects with privacy and security implications."

Stone delivered his research in a talk at the Black Hat hacking conference in Las Vegas last week. ®