Flow stealing: A well-timed redirection attack

Issue title: Research in Computer Security and Privacy: Emerging Trends

Guest editors: Vijay AtluriGuest Editor and Claudia DiazGuest Editor

Article type: Research Article

Authors: Kreitz, Gunnar

Affiliations: KTH – Royal Institute of Technology, Stockholm, Sweden. E-mail: gkreitz@kth.se

Abstract: In this work, we present a Flow Stealing attack, where a victim's browser is redirected in the middle of a browsing session. We detail two attack scenarios. The first is redirecting the victim's browser as it moves from a store to a payment provider, and the second redirects the victim to a phishing page, when she navigates to one of a set of target sites. A key issue in flow stealing is correctly timing the redirect. The main way to accomplish this is to leverage a history detection attack to test whether the victim has visited a target. By repeatedly polling, an attacker learns when the victim navigates to a tested target page. With this application, we demonstrate that the impact of history detection is greater than previously known. Our primary history detection mechanism is a cache timing attack, measuring the time it takes to load an element to determine if it was served from the browser cache. This attack works with present browser versions. We also discuss CSS history detection, based on detecting the styling of visited links, which has been solved in most browsers. Lastly, we also consider a network-based attacker who can mount a man-in-the-middle attack on the victim's network traffic. We discuss several countermeasures against flow stealing. These include two new proposed policies on JavaScript window navigation which can be implemented by browser vendors. We also present mitigations which can be implemented by individual stores or payment providers.

Keywords: Web security, flow stealing, history detection

DOI: 10.3233/JCS-130466

Journal: Journal of Computer Security, vol. 21, no. 3, pp. 371-391, 2013