FBI: Cuba ransomware breached 49 US critical infrastructure orgs
Researchers discover 14 new data-stealing web browser attacks
Microsoft Edge now bashes Google Chrome when you download it
Russian internet watchdog announces ban of six more VPN products
The Week in Ransomware – December 3rd 2021 – Seizing Bitcoin
Learn how to build embedded systems for $6 during Cyber Week
US State Dept employees’ phones hacked using NSO spyware
Fake support agents call victims to install Android banking malware
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of ‘XS-Leak’ cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox.
These types of side-channel attacks are called ‘XS-Leaks,’ and allow attacks to bypass the ‘same-origin’ policy in web browsers so that a malicious website can steal info in the background from a trusted website where the user enters information.
“The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to,” explains the XS-Leaks wiki.
For example, an XS-Leak attack could help a background site siphon the email inbox contents from an active tab used for accessing webmail.
Cross-site leaks aren’t new, but as the researchers point out, not all of them have been identified and classified as XS-Leaks, and their root cause remains unclear.
Their research aims to systematically search for new XS-Leaks, evaluate potential mitigations, and generally gain a better understanding of how they work.
The researchers first identified three characteristics of cross-site leaks and evaluated all inclusion methods and leak techniques for a large set of web browsers.
The three main ingredients of all XS-Leaks are inclusion methods, leak techniques, and detectable differences.
After creating a model based on the above, the researchers found 34 XS-Leaks, 14 of which were novel (marked with a plus sign below).
Next, they tested the 34 XS-Leaks against 56 combinations of browsers and operating systems to determine how vulnerable each of them was.
Then they built a web application named XSinator, consisting of three components:
You can visit the XSinator page yourself and run the test to see how well your web browser and OS fare against the 34 X-Leaks.
You can find a full list of XS-leaks that various browsers are vulnerable to below:
Mitigating or addressing the risks that arise from these side-channel attacks need to be resolved by browser developers.
Researchers suggest denying all event handler messages, minimizing error message occurrences, applying global limit restrictions, and creating a new history property when redirection occurs.
Other effective mitigation methods are using X-Frame-Options to prevent iframe elements from loading HTML resources and implementing the CORP header to control if pages can embed a resource.
“COIU, also known as First-Party Isolation (FPI), is an optional security feature that users can enable in FF’s expert settings (about:config) and was initially introduced in Tor Browser.” – from the paper.
One of the participating researchers, Lukas Knittel, told Bleeping Computer the following:
“Depending on the website, XS-Leaks can have a severe impact on users. Users can use an up-to-date browser that allows them to disable third-party cookies. This would protect against most XS-Leaks, even when the website doesn’t implement new mitigations like COOP, CORP, SameSite Cookies, and so on.” – Knittel.
The researcher also said they informed the web browser development teams of their findings, who are now fixing the various issues. The problems have already been fixed in the currently-available versions in some cases.
As for future work, the team believes that new browser features constantly add new potential XS-Leak opportunities, so this is a space of constant interest.
Also, Knittel told us that they might explore the development of a website-scanning tool, but for now, they want to focus on determining how common these flaws are in real-world websites.
Nine WiFi routers used by millions were vulnerable to 226 flaws
Smartwatches for children are a privacy and security nightmare
Researchers warn of severe risks from ‘Printjack’ printer attacks
Microsoft Edge adds Super Duper Secure Mode to Stable channel
Biometric auth bypassed using fingerprint photo, printer, and glue
Not a member yet? Register Now
Nine WiFi routers used by millions were vulnerable to 226 flaws
Russian internet watchdog announces ban of six more VPN products
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Customize the Windows 11 experience with these free apps

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram credsApple sues spyware-maker…

All Log4j, logback bugs we know so far and why you MUST ditch 2.15

TellYouThePass ransomware revived in Linux, Windows Log4j attacksGoogle Calendar now lets you…

Threat actors steal $80 million per month with fake giveaways, surveys

Scammers are estimated to have made $80 million per month by impersonating…

UK government transport website caught showing porn

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram credsApple sues spyware-maker…