Security News > 2021 > December > Researchers discover 14 new data-stealing web browser attacks
IT security researchers from Ruhr-Universität Bochum and the Niederrhein University of Applied Sciences have discovered 14 new types of 'XS-Leak' cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox.
These types of side-channel attacks are called 'XS-Leaks,' and allow attacks to bypass the 'same-origin' policy in web browsers so that a malicious website can steal info in the background from a trusted website where the user enters information.
"The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to," explains the XS-Leaks wiki.
After creating a model based on the above, the researchers found 34 XS-Leaks, 14 of which were novel.
"Depending on the website, XS-Leaks can have a severe impact on users. Users can use an up-to-date browser that allows them to disable third-party cookies. This would protect against most XS-Leaks, even when the website doesn't implement new mitigations like COOP, CORP, SameSite Cookies, and so on." - Knittel.
As for future work, the team believes that new browser features constantly add new potential XS-Leak opportunities, so this is a space of constant interest.
News URL
Related news
- Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- New Windows driver blocks software from changing default web browser (source)
- Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks (source)
- Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike (source)