The Internet is already a difficult place to maintain privacy, and now two security researchers have revealed new ways to spy on Web users via the browser. At a presentation at DEFCON 17, a hacking conference held in Las Vegas last week, the researchers showed a variety of ways to snoop on people online, despite the privacy tools employed by most browsers.
Robert Hansen, CEO and founder of the Internet security company SecTheory, and Joshua Abraham, a security consultant for the security company Rapid7, demonstrated how to do everything from obtain details of the software running on a user’s system to gain complete control of a computer. If the attacker can convince the user to visit a website he controls, perhaps through a link in an e-mail, a number of attacks on the user’s browser become possible.
The attacks worked with minimal participation from the user and, in one case, none at all.
“Your privacy is up to whichever site you’re visiting and what browser you’re using,” says Hansen, who emphasizes that users cannot trust the privacy controls built into a browser to keep them safe. “[Browser] privacy buttons are just a basic protection,” he says. In many cases, they’re mainly designed for benign situations, such as protecting a user’s privacy from other members of a household. To a determined attacker, however, Hansen says these privacy protections aren’t enough.
Hansen and Abraham showed how an attacker could build up detailed information about a user and her system with a variety of simple tricks. For example, by persuading a user to cut and paste a particular URL into a browser bar, an attacker can discover the person’s username and the name assigned to her computer, and can gain access to files on that system. Similar attacks can detect what plug-ins the user has installed in her browser.
This sort of information can be used to build a targeted attack against a particular user, Abraham says. Knowing which plug-ins a user has installed, for example, makes it easier to break into a system using a software flaw.
Hansen and Abraham raised privacy concerns about Google Safe Browsing, a commonly used extension for the Firefox Web browser that is designed to warn users about malicious websites. The researchers say that the tool performs that function well, but it also regularly issues a cookie that could be used to track all of the websites that a user visits. This information could be revealed if, for example, a government chose to subpoena the data.