Timing is everything: The importance of history detection

Abstract

In this work, we present a Flow Stealing attack, where a victim's browser is redirected during a legitimate flow. One scenario is redirecting the victim's browser as it moves from a store to a payment provider. We discuss two attack vectors. Firstly, browsers have long admitted an attack allowing a malicious web page to detect whether the browser has visited a target web site by using CSS to style visited links and read out the style applied to a link. For a long time, this CSS history detection attack was perceived as having small impact. Lately, highly efficient implementations of the attack have enabled malicious web sites to extract large amounts of information. Following this, browser developers have deployed measures to protect against the attack. Flow stealing demonstrates that the impact of history detection is greater than previously known. Secondly, an attacker who can mount a man-in-the-middle attack against the victim's network traffic can also perform a flow stealing attack. Noting that different browsers place different restrictions on cross-frame navigation through JavaScript window handles, we suggest a stricter policy based on pop-up blockers to prevent Flow Stealing attacks. © 2011 Springer-Verlag.