Closed Bug 773338 Opened 12 years ago Closed 4 years ago

history timing attack with href switching

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: cmcgowen.dev, Unassigned)

References

Details

(Keywords: privacy, Whiteboard: [pixel-stealing])

Attachments

(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120614114901

Steps to reproduce:

Have anchor tag
1. Change anchor tag href to ""
2. Append anchor tag to document
3. Change anchor tag to correct href (ie: wikileaks.org)
4. Remove anchor tag from document
5. Go to 1


Actual results:

After recording the execution time, it is apparent that it takes significantly longer to perform this loop on visited URLs than non-visited ones.


Proof of Concept:
http://badcoding.net/test22_l4jjig4yunmmng127fj112/index.html

This bug is filed without the "security" option because it is already public.



Expected results:

It should take the same amount of execution time to switch visited hrefs as non-visited.
Component: Untriaged → Security
Keywords: privacy
Any update on this?

Just checked:
Still valid on Firefox 26.0
Purple links (visited urls) generate longer delta values and can lead to browsing history discovery.
Attached file test.html (obsolete) —
The previous POC had a strange need to be clicked twice before showing a discernible difference in timing. I found that by adding a visited and then non visited link initially, this quirk was resolved.
The results are not so consistent on my Fx30 (Windows 7). I'm a little puzzled that toggling layout.css.visited_links_enabled to false doesn't equalize the times. That would seem to make a history check superfluous.
Attached file POC_historyattack.html
Updated POC with higher iteration count and moved unnecessary work from timing loop.
Attachment #8419916 - Attachment is obsolete: true
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86 → All
Version: 13 Branch → Trunk
Whiteboard: [pixel-stealing]

Fixed in Bug 1632765

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: