Experts at the Ruhr University in Bochum and the Lower Rhine University of Applied Sciences (Germany) have identified 14 new XS-Leaks attacks on modern browsers, including Google Chrome, Microsoft Edge, Safari and Mozilla Firefox.
XS-Leaks are side-channel attacks that allow malicious sites to bypass the same-origin policy in the browser and steal information in the background from a trusted resource where the user enters data. For example, with the help of such an attack, a site opened in an inactive browser tab can steal the contents of an e-mail inbox from the e-mail service in the active tab.
Cross-site leaks are nothing new, however, according to the researchers, not all of them have been identified and classified as XS-Leaks, and the root of the problem remains unclear.
Experts from the Ruhr University in Bochum and the Lower Rhine University of Applied Sciences decided to research and install new XS-Leaks methods, develop defense mechanisms and get a better understanding of how these attacks work.
The researchers first identified three characteristics of cross-site leaks and evaluated all inclusion methods and leakage techniques across a wide range of browsers. The three main components of all XS-Leaks are inclusion methods, leakage techniques, and obvious differences. By creating a model based on these characteristics, the researchers identified 34 XS-Leaks attacks, 14 of which were previously unknown.
The experts tested all the attacks they identified on 56 combinations of browsers and operating systems to determine how vulnerable they are. They have developed the website XSinator.com, which allowed them to automatically scan browsers for these leaks. Popular browsers such as Chrome and Firefox, for example, were vulnerable to a large number of XS-Leaks.
It is up to browser developers to mitigate or eliminate the risks associated with these attacks, the researchers said. Specifically, they suggest disabling all event handler messages, minimizing error messages, enforcing global limit limits, and creating a new history property on redirection. Other effective mitigation techniques are using X-Frame-Options to prevent iframes from loading HTML resources and implementing a CORP header to control whether pages can embed the resource.
"COIU, also known as First-Party Isolation (FPI), is an optional security feature that users can activate in Firefox's settings (about: config) and was originally introduced in the Tor Browser," the researchers said.
Depending on the site, XS-Leaks attacks can have very serious consequences. Users are advised to work with fully updated browsers and disable third-party cookies. This will protect them from most XS-Leaks attacks, even if the site does not use new protection methods like COOP, CORP, SameSite Cookies, etc.
The researchers shared their findings with the browser developers who are currently working on fixing the problems.