Abstract
Leaky resource attacks leverage the popularity of resource-sharing services to conduct targeted deanonymization on the web. They are simple to execute because many resource-sharing services are inherently vulnerable due to the trade-offs made between security and functionality. Even though previous work has shown that such attacks can lead to serious privacy threats, defending against this threat is an area that has remained largely unaddressed.
In this work, we advance the state of the art on leaky resource attacks on both attack effectiveness and attack mitigation fronts. We first show that leaky resource attacks have a larger attack surface than what was previously believed, by showing reliable attack implementations that work across a broader range of browsers and by identifying new variants of the attack. We then propose Leakuidator, the first client-side defense that can be deployed right away, without buy-in from browser vendors and website owners. At a high level, Leakuidator identifies potentially suspicious requests made when a webpage is rendered and for each such request: (1) renders the request by first removing cookies from it, and (2) initiates a second request that is identical with the original request (i.e., contains the cookies that were removed), but does not render its response. This additional request maintains compatibility with existing web functionality, such as analytics and tracking services. We have implemented Leakuidator as a browser extension for three Chromium-based browsers. Experimental results show that Leakuidator introduces a small overhead and thus the impact on user experience is minimal. The extension also includes usability knobs, allowing users to reuse past choices and to adjust how strict is the criteria for identifying potentially suspicious requests.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cross-Origin Resource Policy (CORP). https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)
Dropbox. https://www.dropbox.com/
The fbi booby-trapped a video to catch a suspected tor sextortionist. https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-trapped-a-video-to-catch-a-suspected-tor-sextortionist
Giorgio maone. noscript. https://noscript.net/
Google Drive. https://www.google.com/drive/
Microsoft One Drive. https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage
Network investigative technique. https://en.wikipedia.org/wiki/Network_Investigative_Technique
Puppeteer. https://github.com/puppeteer/puppeteer
Security and tainted canvases. https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image#security_and_tainted_canvases
The u.s. government has withdrawn its request ordering twitter to identify a trump critic. https://www.washingtonpost.com/news/the-switch/wp/2017/04/07/the-u-s-government-has-withdrawn-its-request-ordering-twitter-to-identify-a-trump-critic
Verifying origin with standard headers. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers
Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: 22nd Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2015)
Cheung, M., She, J.: Evaluating the privacy risk of user-shared images. ACM Trans. Multimedia Comput. Commun. Appl. 12(4s) (Sep 2016)
Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: 23rd IEEE Computer Security Foundations Symposium, pp. 200–214. IEEE (2010)
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of ACM CCS 2016, CCS 2016, pp. 1388–1401. ACM (2016)
Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 748–759. ACM (2012)
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing more pie without touching the sill. J. Comput. Secur. 22(4), July 2014
Heiderich, M., Frosch, T., Jensen, M., Holz, T.: Crouching tiger-hidden payload: security risks of scalable vectors graphics. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 239–250. ACM (2011)
0 Karami, S., Ilia, P., Polakis, J.: Awakening the web’s sleeper agents: misusing service workers for privacy leakage. In: Proceedings of NDSS 221 (2021)
Karami, S., Ilia, P., Solomos, K., Polakis, J.: Carnus: exploring the privacy threats of browser extension fingerprinting. In: Proceedings of NDSS 2020 (2020)
Lekies, S., Stock, B., Wentzel, M., Johns, M.: The unexpected dangers of dynamic Javascript. In: Proceedings of the 24th USENIX Security Symposium, pp. 723–735 (2015)
Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. In: IFIP International Information Security Conference, pp. 173–186 (2010)
Rajani, V., Bichhawat, A., Garg, D., Hammer, C.: Information flow control for event handling and the dom in web browsers. In: 2015 IEEE 28th Computer Security Foundations Symposium, pp. 366–379. IEEE (2015)
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of USENIX NSDI 2012, pp. 155–168 (2012)
Roesner, F., Rovillos, C., Kohno, T., Wetherall, D.: Sharemenot: balancing privacy and functionality of third-party social widgets. In: Usenix; login (2012)
Schwarz, M., Lipp, M., Gruss, D.: Javascript zero: real Javascript and zero side-channel attacks. In: Proceedings of NDSS 2018 (2018)
Sjösten, A., Acker, S.V., Sabelfeld, A.: Discovering browser extensions via web accessible resources. In: Proceedings of the ACM CODASPY 2017, pp. 329–336 (2017)
Staicu, C.A., Pradel, M.: Leaky images: targeted privacy attacks in the web. In: Proceedings of the 28th USENIX Security Symposium, pp. 923–939 (2019)
Su, J., Shukla, A., Goel, S., Narayanan, A.: De-anonymizing web browsing data with social networks. In: Proceedings of the 26th International Conference on World Wide Web (2017)
Sudhodanan, A., Khodayari, S., Caballero, J.: Cross-origin state inference (COSI) attacks: leaking web site states through XS-Leaks. In: Proceedings of NDSS 2020 (2020)
Venkatadri, G., et al.: Privacy risks with Facebook’s PII-based targeting: auditing a data broker’s advertising interface. In: Proceedings of IEEE S&P 2018, pp. 89–107. IEEE (2018)
Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users. In: Proceedings of IEEE S&P 2010, pp. 223–238 (2010)
Acknowledgments
This research was supported by the US National Science Foundation under Grants No. CNS 1801430 and DGE 1565478.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A JavaScript-Based Leaky Resource Attack
Script-Based Attack. The attack page can embed the JavaScript code shown in Fig. 7 in order to disclose information about the outcome of the SD-URL request [28]. The response to the SD-URL request is different depending on the user’s state with respect to the target website. In one state, the user is able retrieve the image successfully, triggering the onload callback which informs the attacker that the intended victim has visited the attack page. In the other state, the user is unable to retrieve the image, trigerring the onerror callback.
Communication method using JavaScript.
B Drawbacks of Existing Defenses
The SameSite cookie attribute can be used to impose restrictions when cookies associated with a website (i.e., target website) can actually be sent to the target website. When set, this attribute can be assigned three values: strict, lax, and none. If it is set to strict, cookies are sent only when the target website matches the website currently shown in the browser’s URL bar. If it set to lax, cookies will be sent when the condition for the strict value is met, but also when the website in the browser’s URL bar matches the target website after a top-level navigation. This allows, for example, authentication cookies to be sent to an external website when using a single sign-on service. When the SameSite attribute is set to none, the browser will always send cookies along with requests to the target website.
Although setting this cookie attribute to strict or lax could limit the attack surface in theory, our findings (Sect. 4.4) show that many popular sharing services are still vulnerable, because the attribute is either set to none, or not enabled at all. A major reason for this is that the SameSite cookie attribute interferes with services provided by websites, because third party requests require authentication cookies being sent along when embedding the service in another website (e.g., a watch later button on an embedded YouTube video, or personalized service such as favorite locations when embedding GoogleMaps).
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Zaheri, M., Curtmola, R. (2021). Leakuidator: Leaky Resource Attacks and Countermeasures. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 399. Springer, Cham. https://doi.org/10.1007/978-3-030-90022-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-90022-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90021-2
Online ISBN: 978-3-030-90022-9
eBook Packages: Computer ScienceComputer Science (R0)