Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The Internet is already a difficult place to maintain privacy, and now two security researchers have revealed new ways to spy on Web users via the browser. At a presentation at DEFCON 17, a hacking conference held in Las Vegas last week, the researchers showed a variety of ways to snoop on people online, despite the privacy tools employed by most browsers.

Robert Hansen, CEO and founder of the Internet security company SecTheory, and Joshua Abraham, a security consultant for the security company Rapid7, demonstrated how to do everything from obtain details of the software running on a user’s system to gain complete control of a computer. If the attacker can convince the user to visit a website he controls, perhaps through a link in an e-mail, a number of attacks on the user’s browser become possible.

The attacks worked with minimal participation from the user and, in one case, none at all.

“Your privacy is up to whichever site you’re visiting and what browser you’re using,” says Hansen, who emphasizes that users cannot trust the privacy controls built into a browser to keep them safe. “[Browser] privacy buttons are just a basic protection,” he says. In many cases, they’re mainly designed for benign situations, such as protecting a user’s privacy from other members of a household. To a determined attacker, however, Hansen says these privacy protections aren’t enough.

Hansen and Abraham showed how an attacker could build up detailed information about a user and her system with a variety of simple tricks. For example, by persuading a user to cut and paste a particular URL into a browser bar, an attacker can discover the person’s username and the name assigned to her computer, and can gain access to files on that system. Similar attacks can detect what plug-ins the user has installed in her browser.

This sort of information can be used to build a targeted attack against a particular user, Abraham says. Knowing which plug-ins a user has installed, for example, makes it easier to break into a system using a software flaw.

Hansen and Abraham raised privacy concerns about Google Safe Browsing, a commonly used extension for the Firefox Web browser that is designed to warn users about malicious websites. The researchers say that the tool performs that function well, but it also regularly issues a cookie that could be used to track all of the websites that a user visits. This information could be revealed if, for example, a government chose to subpoena the data.

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Web, security, privacy, browsers, DEFCON

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me