Researchers uncovered 14 new types of cross-site data leakage attacks that may be used against Tor Browser, Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari and Opera, among other modern web browsers.
Cross-site leaks (also known as XS-Leaks or XSLeaks) are a type of vulnerability that arises from the web platform’s side-channels . 1.) They abuse authorised mechanisms 2.) to infer information about the user by using the web’s essential principle of application, which allows websites to interact with one another.
Browsers provide a range of functions that allow distinct web applications to interact with one another; for example, they allow a website to load subresources, navigate or send messages to another programme. While most security controls built into the web platform (such as the same-origin policy) limit such behaviour, XS-Leaks take advantage of tiny flaws in the system.
An XS-idea Leak’s is to leverage web-based side-channels to leak sensitive information about users, such as their data in other web applications, details about their local surroundings or internal networks to which they are connected.
In addition to a cross-site request forgery (CSRF) attack, which exploits a web application’s confidence in a browser client to do undesired actions on behalf of the user, the new class of vulnerabilities can be weaponized to infer information about a user.
The researchers noted that, “They represent a huge danger to Internet privacy, since simply viewing a web page may show if the victim is a drug addict or leak a sexual orientation.” “XS-Leaks use small amounts of information that are exposed during website interactions […] to divulge sensitive information about users, such as their data in other web apps, details about their local environment, or internal networks to which they are connected.”
The researchers suggest that as a mitigation, all event handler messages be denied, error message occurrences be minimised, global limit limitations be applied, and a new history property be created when redirection happens.
End-users can reduce the applicability of XS-Leaks by enabling first-party isolation and Enhanced Tracking Prevention in Firefox. Safari’s Intelligent Tracking Prevention, which by default bans third-party cookies, also protects any non-cookie-based leaks.
Finally the researchers concluded that ,“The main cause of most XS-Leaks is embedded in the web design, Without doing anything illegal, many programmes are vulnerable to cross-site information leaks. Fixing the fundamental cause of XS-Leaks at the browser level is difficult because doing so would often damage current websites.”