Inferring browser activity and status through remote monitoring of storage usage

Proceedings of the 32nd Annual Conference on Computer Security Applications Pub Date : 2016-12-05 DOI:10.1145/2991079.2991080

Hyungsub Kim, Sangho Lee, Jong Kim

{"title":"Inferring browser activity and status through remote monitoring of storage usage","authors":"Hyungsub Kim, Sangho Lee, Jong Kim","doi":"10.1145/2991079.2991080","DOIUrl":null,"url":null,"abstract":"Web applications use the local storage of a web browser to temporarily store static resources for caching and persistently store personalized data for stateful services. Since different web applications use the local storage differently in terms of size and time, attackers can infer a user's browser activity and status if they can monitor storage usage: for example, which web site a user is viewing and whether a user has logged in to a certain web site. In this paper, we explore passive and active web attacks that exploit the Quota Management API to extract such information from a web browser, as the API allows us to continuously monitor the size of available storage space. We develop two web attacks: a cross-tab activity inference attack to passively monitor which web site a user is currently visiting and a browser status inference attack to actively identify the browser status such as browser history and login information. Our attacks are successful at stealing private information from Chrome running on various platforms with ∼90% accuracy. We further propose an effective solution against the attacks.","PeriodicalId":419419,"journal":{"name":"Proceedings of the 32nd Annual Conference on Computer Security Applications","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"27","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 32nd Annual Conference on Computer Security Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2991079.2991080","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 27

Abstract

Web applications use the local storage of a web browser to temporarily store static resources for caching and persistently store personalized data for stateful services. Since different web applications use the local storage differently in terms of size and time, attackers can infer a user's browser activity and status if they can monitor storage usage: for example, which web site a user is viewing and whether a user has logged in to a certain web site. In this paper, we explore passive and active web attacks that exploit the Quota Management API to extract such information from a web browser, as the API allows us to continuously monitor the size of available storage space. We develop two web attacks: a cross-tab activity inference attack to passively monitor which web site a user is currently visiting and a browser status inference attack to actively identify the browser status such as browser history and login information. Our attacks are successful at stealing private information from Chrome running on various platforms with ∼90% accuracy. We further propose an effective solution against the attacks.

查看原文本刊更多论文

通过远程监控存储使用情况推断浏览器活动和状态

Web应用程序使用Web浏览器的本地存储来临时存储用于缓存的静态资源，并持久存储用于有状态服务的个性化数据。由于不同的web应用程序在大小和时间上使用本地存储不同，攻击者可以推断用户的浏览器活动和状态，如果他们可以监控存储使用情况:例如，用户正在查看哪个网站，用户是否登录到某个网站。在本文中，我们探索了被动和主动的web攻击，利用配额管理API从web浏览器中提取此类信息，因为API允许我们持续监控可用存储空间的大小。我们开发了两种网络攻击:一种是跨标签活动推理攻击，被动地监控用户当前访问的网站;另一种是浏览器状态推理攻击，主动识别浏览器状态，如浏览器历史记录和登录信息。我们的攻击成功地窃取了在各种平台上运行的Chrome的私人信息，准确率为90%。我们进一步提出有效的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 32nd Annual Conference on Computer Security Applications

自引率

0.00%

发文量