history timing attack with href switching

NEW
Unassigned

Status

()

6 years ago
2 months ago

People

(Reporter: cmcgowen.dev, Unassigned)

Tracking

(Depends on: 1 bug, {privacy})

Trunk
privacy
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120614114901

Steps to reproduce:

Have anchor tag
1. Change anchor tag href to ""
2. Append anchor tag to document
3. Change anchor tag to correct href (ie: wikileaks.org)
4. Remove anchor tag from document
5. Go to 1


Actual results:

After recording the execution time, it is apparent that it takes significantly longer to perform this loop on visited URLs than non-visited ones.


Proof of Concept:
http://badcoding.net/test22_l4jjig4yunmmng127fj112/index.html

This bug is filed without the "security" option because it is already public.



Expected results:

It should take the same amount of execution time to switch visited hrefs as non-visited.
Component: Untriaged → Security
Keywords: privacy
(Reporter)

Comment 1

5 years ago
Any update on this?

Just checked:
Still valid on Firefox 26.0
Purple links (visited urls) generate longer delta values and can lead to browsing history discovery.
(Reporter)

Comment 2

4 years ago
Created attachment 8419916 [details]
test.html

The previous POC had a strange need to be clicked twice before showing a discernible difference in timing. I found that by adding a visited and then non visited link initially, this quirk was resolved.

Comment 3

4 years ago
Created attachment 8440414 [details]
Screen capture, newer POC results, layout.css.visited_links_enabled toggled

The results are not so consistent on my Fx30 (Windows 7). I'm a little puzzled that toggling layout.css.visited_links_enabled to false doesn't equalize the times. That would seem to make a history check superfluous.
(Reporter)

Comment 4

4 years ago
Created attachment 8441108 [details]
POC_historyattack.html

Updated POC with higher iteration count and moved unnecessary work from timing loop.
Attachment #8419916 - Attachment is obsolete: true
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86 → All
Version: 13 Branch → Trunk
You need to log in before you can comment on or make changes to this bug.