Extensions, add-ons and in-browser software designed to protect your security and privacy have holes which may allow threat actors and surveillance scripts to circumvent such barriers.
Academics from the Catholic University in Leuven, Belgium (KU Leuven) have uncovered ways to bypass the protections of these offerings which are designed to prevent third-parties from tracking your online activities.
Presented at the USENIX Security ’18 conference, the research, titled “Who left open the cookie jar?” reveals how features such as Tracking Protection in Firefox can be circumvented to snatch user cookies.
Cookies are automatically tagged onto HTTP requests and are used to track pages visited, purchases made and can also be used to login to website domains.
However, if obtained by threat actors they may be used in cross-site scripting (XSS) attacks to hijack accounts and steal sensitive data. Cookies may also be collected en masse by advertising agencies for the purpose of covert data mining.
In order to test the defensive capabilities of in-browser protections the group created a framework to verify whether or not cookie and request policies were compatible with maintaining user privacy or whether browser stipulations on tracking could be avoided.
Findings
The researchers found that: “Despite their significant merits, the way cookies are implemented in most modern browsers also introduces a variety of attacks and other unwanted behavior.”
“More precisely, because cookies are attached to every request, including third-party requests, it becomes more difficult for websites to validate the authenticity of a request.”
The researchers tested a total of 7 browsers and 46 browser extensions and found that “most mechanisms” could be circumvented.
In addition, all of the in-browser protections and all of the extensions could be bypassed by at least one technique.
In a paper documenting the test, KU Leuven said that the framework was used to investigate cookie responses and circumvention by way of HTML tags, response headers, redirects, JavaScript, PDF-based JavaScript, the AppCache API and the Service Worker API.
A variety of implementation, design and configuration flaws all allowed the in-browser and third-party protections to be circumvented in some way.
The researchers crawled the Alexa top 10,000 websites to see whether or not any of these discovered flaws were in use and found no evidence to suggest that the bypasses are being actively exploited in the wild.
The academics have revealed their findings to browser vendors and extension developers and are working with the companies in question to develop solutions to mitigate the risk of user compromise.
