Thursday, August 8, 2013

Browser Timing Attacks

Pixel Perfect Timing Attacks with HTML5   


This paper describes a number of timi ng attack techniques that can be used by a malicious web page to steal sensitive data from a browser, breaking cross - origin restrictions. The new requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on t iming data . The first technique allows the browser history to be sniffed by detecting redraw events. The second part of the paper shows how SVG filters are vulnerable to a timing attack that can be used to read pixel values from a web page. This allows pix els from cross - origin iframes to be read using an OCR - style technique to obtain sensitive data from websites 

Download PDF:

No comments: