ProgrammingTech

Javascript Attacks: False Sense of Security

JavaScript reveals something which turns out not to be so great for privacy. Boffins from the Graz University of Technology in Austria have recently devised an automated system for browser profiling using two new side channel attacks that can help extract information regarding both hardware and software to fingerprint browsers and enhance the effectiveness of exploits.

In a paper, “JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits”, researchers Florian Lackner, Michael Schwarz, and Daniel Gruss have described a technique of collecting information about browsers that questions the effectiveness of anonymized browsing and privacy extensions. The paper was brought to our attention this week and was presented earlier this year at the Network and Distributive System Security Symposium.  

The researchers said that this automated browser profiling scheme facilitates browser fingerprinting, and also overcomes some anti-fingerprinting techniques. It also shows that browser privacy extensions “can leak more information than they disguise, and can even be semi-automatically circumvented, which will lead to a false sense of security.”

The technique described can expose information about supposedly hidden parts of the browser environment with a particular efficiency because of its automation. The upshot is that this technique is not going to unmask you immediately, and though it is not perfect by any means, it could definitely be used to track you around the internet. The technique is made exclusively to identify computing environments and not users. Graz boffins hope their work will help in the advancement of defensive research rather than attack magnification.

The boffin’s exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version but also the properties of JavaScript objects, along with installing privacy extension, operating system, and privacy mode.

The paper ‘JavaScript Template Attacks’ shows that there are far more of these than the ones covered in the official documentation. This simply means that browser fingerprints have the potential to be far more detailed than they are now. The authors Schwarz, Gruss, and Lackner hope that the browser makers will consider their findings as they work to improve browser along with privacy extensions.

Tags

Kelley

I Kelley is a tech enthusiast, a programmer, and a football player. She deeply believes that technology has now the capability to shape the future of people if used in the right direction.
Back to top button
Close
Close