Browser attack allows tracking users online with JavaScript disabled

Click for: original source

Researchers have discovered a new side-channel that they say can be reliably exploited to leak information from web browsers that could then be leveraged to track users even when JavaScript is completely disabled. By Ravie Lakshmanan.

“This is a side-channel attack which doesn’t require any JavaScript to run,” the researchers said. “This means script blockers cannot stop it. The attacks work even if you strip out all of the fun parts of the web browsing experience. This makes it very difficult to prevent without modifying deep parts of the operating system.”

In avoiding JavaScript, the side-channel attacks are also architecturally agnostic, resulting in microarchitectural website fingerprinting attacks that work across hardware platforms, including Intel Core, AMD Ryzen, Samsung Exynos 2100, and Apple M1 CPUs — making it the first known side-channel attack on the iPhone maker’s new ARM-based chipsets.

Side-channel attacks typically rely on indirect data such as timing, sound, power consumption, electromagnetic emissions, vibrations, and cache behavior in an effort to infer secret data on a system. Specifically, microarchitectural side-channels exploit the shared use of a processor’s components across code executing in different protection domains to leak secret information like cryptographic keys. Interesting!

[Read More]

Tags infosec javascript browsers web-development