The Internet is already a difficult place to maintain privacy, and now two security researchers have revealed new ways to spy on Web users via the browser. At a presentation at DEFCON 17, a hacking conference held in Las Vegas last week, the researchers showed a variety of ways to snoop on people online, despite the privacy tools employed by most browsers.
Robert Hansen, CEO and founder of the Internet security company SecTheory, and Joshua Abraham, a security consultant for the security company Rapid7, demonstrated how to do everything from obtain details of the software running on a user’s system to gain complete control of a computer. If the attacker can convince the user to visit a website he controls, perhaps through a link in an e-mail, a number of attacks on the user’s browser become possible.
The attacks worked with minimal participation from the user and, in one case, none at all.
“Your privacy is up to whichever site you’re visiting and what browser you’re using,” says Hansen, who emphasizes that users cannot trust the privacy controls built into a browser to keep them safe. “[Browser] privacy buttons are just a basic protection,” he says. In many cases, they’re mainly designed for benign situations, such as protecting a user’s privacy from other members of a household. To a determined attacker, however, Hansen says these privacy protections aren’t enough.
Hansen and Abraham showed how an attacker could build up detailed information about a user and her system with a variety of simple tricks. For example, by persuading a user to cut and paste a particular URL into a browser bar, an attacker can discover the person’s username and the name assigned to her computer, and can gain access to files on that system. Similar attacks can detect what plug-ins the user has installed in her browser.
This sort of information can be used to build a targeted attack against a particular user, Abraham says. Knowing which plug-ins a user has installed, for example, makes it easier to break into a system using a software flaw.
Hansen and Abraham raised privacy concerns about Google Safe Browsing, a commonly used extension for the Firefox Web browser that is designed to warn users about malicious websites. The researchers say that the tool performs that function well, but it also regularly issues a cookie that could be used to track all of the websites that a user visits. This information could be revealed if, for example, a government chose to subpoena the data.
Abraham went on to demonstrate a Java applet–code that runs inside the browser–that could grant an attacker access to a user’s machine, including encrypted files, and to the machine’s microphone. To pull this off, the attacker has to get the user to click twice–once to visit a page the attacker control, and once to click through a browser warning. However, Abraham says that an attacker could disguise the applet as legitimate software related to programs the user has already installed.
While many of the attacks revealed by the pair need to be customized to a particular person, Abraham says it might be worth the effort if, for example, an attacker is trying to gain access to a particular company network.
Hansen adds that the attacks don’t call for much technical skill. “Most of the hard work has already been done for you,” he says, since many of the tools needed to pull off the attacks are freely available online.
Kate McKinley, a security researcher with San Francisco-based iSec Partners who studies browser privacy, agrees that plug-ins such as Flash can open up privacy holes. She notes that most browsers offer a feature that clears private data, but says this often doesn’t cover what is stored in plug-ins or certain newer browser features. Cookies stored in Flash, for example, can persist even when a user switches browsers, since they store data in a different dedicated location.
Users can protect themselves, Hansen says, but this means changing their online habits. For example, users need to get into the habit of questioning any dialogue boxes that are thrown up by the browser. “Are you willing to trade off usability for your security and privacy?” he asks. “There’s no easy answer, but we need to raise awareness of these issues.”