14 new cross-site data leakage have been uncovered by researchers. The attack affects most of the modern web browsers: Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari, and Opera.
The attacks are made possible by bugs that plague these browsers. The bugs allow malicious websites to access the data of visitors without visitors knowledge, as they interact with other websites. The bugs were found when groups of academics from Ruhr-Universität Bochum (RUB) and Niederrhein University undertook a detailed study of cross-site attacks.
“XS-Leaks bypass the so-called same-origin policy, one of a browser’s main defences against various types of attacks,” the researchers said in a statement. “The purpose of the same-origin policy is to prevent information from being stolen from a trusted website. In the case of XS-Leaks, attackers can nevertheless recognize individual, small details of a website. If these details are tied to personal data, those data can be leaked.”
The data harvesting is possible because side-channels incorporated into the web platform allows attackers to collect data from a cross-source HTTP resource. The cross-site bugs affect popular browsers like Safari Firefox, Samsung Internet, and the browsers span across different operating systems like Windows, macOS, Android, and iOS.
“They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation,” the researchers explained. “XS-Leaks take advantage of small pieces of information which are exposed during interactions between website to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to.”
Researchers suggest prohibiting all event handler messages, reducing to minimum error message occurrences, applying global limit restrictions and upon redirection, one must create a new history property as mitigation measures.