Security News > 2021 > December > 14 New XS-Leaks (Cross-Site Leaks) Attacks Affect All Modern Web Browsers
Researchers have discovered 14 new types of cross-site data leakage attacks against a number of modern web browsers, including Tor Browser, Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari, Opera, among others.
"The purpose of the same-origin policy is to prevent information from being stolen from a trusted website. In the case of XS-Leaks, attackers can nevertheless recognize individual, small details of a website. If these details are tied to personal data, those data can be leaked."
Stemming from side-channels built into the web platform that permits an attacker to gather this data from a cross-origin HTTP resource, the cross-site bugs impact an array of popular browsers such as Tor, Chrome, Edge, Opera, Safari Firefox, Samsung Internet, spanning across different operating systems Windows, macOS, Android, and iOS. The new class of vulnerabilities is also different from a cross-site request forgery attack in that unlike the latter, which exploits a web application's trust in a browser client to execute unintended actions on behalf of the user, they can be weaponized to infer information about a user.
"XS-Leaks take advantage of small pieces of information which are exposed during interactions between websites [] to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to."
The core idea is that while websites are not allowed to directly access data on other websites because of same-origin constraints, a rogue online portal can attempt to load a specific resource or an API endpoint from a website, say, an online banking website, on the user's browser and draw inferences about the victim's transaction history.
"Oftentimes applications are vulnerable to some cross-site information leaks without having done anything wrong. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites."
News URL
https://thehackernews.com/2021/12/14-new-xs-leaks-cross-site-leaks.html