Browser users can be tracked even when JavaScript is disabled

According to an academic paper published this week, threat actors can launch attacks that leak small bits of information from browsers even when JavaScript is completely disabled, allowing for secret tracking even when users might believe they are safe.

Authored by a team of American, Australian, and Israeli academics, the research paper analyzed the state of side-channel attacks that can be carried out against browsers.

A side-channel attack is a technique that can be used to acquire small bits of information leaked by a computer or app, which can later be used to infer broader pieces of information.

Side-channel attacks are usually developed against complicated pieces of technologies, such as CPUs and cryptographic systems, and are employed to leak sensitive data such as encryption keys.

For the vast majority of time, most side-channel attacks were considered too complex to be executed via web-based technologies, and most attacks relied on a threat actor planting malware on a system that ran native code.

This changed with the public disclosure of the Meltdown and Spectre vulnerabilities, two side-channel attacks disclosed in January 2018 that impacted most processors available on the market at the time, allowing threat actors to leak data being processed inside affected CPUs.

Days after the two bugs were disclosed, Mozilla, and then Google, confirmed that exploitation of the two vulnerabilities didn't necessarily rely on native code and that fully remote side-channel attacks could also be launched via rogue websites running malicious JavaScript code.

Under the hood, those attacks relied on a website's ability to measure time inside the browser using various JavaScript functions. At the time, browser makers responded by limiting access to time-measuring functions in their products or by reducing the accuracy of the functions' results.

Additional measures like deploying per-site isolation containers were also included, but the academic world responded by developing new attack variations that abused other browser JavaScript API features for their attacks, launching a whack-a-mole game with browser vendors.

New side-channel attack developed for no-JS environments

But in a research paper released this week and titled "Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses," academics from the Ben-Gurion University of the Negev in Israel, the University of Adelaide in Australia, and the University of Michigan in the US show that side-channel attacks are still possible inside web browsers despite even the most recent mitigations.

Furthermore, their side-channel attacks were also found to work (albeit with reduced accuracy) on privacy-first browsers that have been specifically hardened against Spectre-like attacks, such as the Tor Browser, Chrome running the Chrome Zero extension, and Firefox running the DeterFox add-on.

And last but not least, academics also showed that a side-channel attack that relied solely on HTML and CSS code was also able to leak enough data from users' browsers where JavaScript was entirely disabled —a bit of advice that security researchers often give to users to prevent tracking, leaks, and side-channel attacks.

These no-JS leaks, albeit of lower accuracy than other JS-based attacks, were enough to allow threat actors to identify and track users, such as determining what websites a user had visited in the past, researchers said.

The academic team said they tested their attacks not only against browsers running on top of Intel CPUs, which were most often shown in the past to be vulnerable to side-channel attacks, but also browsers running on CPU platforms such as Samsung Exynos, AMD Ryzen, and even Apple's new M1 chip — marking the first knwon time a side-channel attack was found to work against Apple's new CPU architecture.

Researchers said they notified Intel, AMD, Apple, Chrome, and Mozilla of their findings prior to their paper's publication but did not share the answers they received to their disclosure efforts.

Nonetheless, the Google Chrome team has stated in the past that despite their pioneering work on the Site Isolation feature, side-channel attacks cannot be fully blocked inside browsers for the time being.

In a W3C proposal this month, Google engineers anticipated that side-channel attacks would evolve beyond JavaScript and be carried out via CSS alone and urged developers to change the way they build websites and handle data, providing several recommendations.

Very few websites implement all the defenses necessary for securing them in a Post-Spectre web. Specially against same-site cross-origin attacks. https://t.co/ge0Xf5vBpR

— Eduardo Vela… (@sirdarckcat) March 6, 2021