Friday, December 03, 2021

X LEAKS: Beware

Researchers discover 14 new data-stealing web browser attacks

Bill Toulas

BleepingComputer

IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of 'XS-Leak' cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox.

These types of side-channel attacks are called 'XS-Leaks,' and allow attacks to bypass the 'same-origin' policy in web browsers so that a malicious website can steal info in the background from a trusted website where the user enters information.

"The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to," explains the XS-Leaks wiki.

For example, an XS-Leak attack could help a background site siphon the email inbox contents from an active tab used for accessing webmail.

The process of an XS-LeakSource: XSinator

Cross-site leaks aren't new, but as the researchers point out, not all of them have been identified and classified as XS-Leaks, and their root cause remains unclear.

Their research aims to systematically search for new XS-Leaks, evaluate potential mitigations, and generally gain a better understanding of how they work.

Finding new XS-Leaks

The researchers first identified three characteristics of cross-site leaks and evaluated all inclusion methods and leak techniques for a large set of web browsers.

The three main ingredients of all XS-Leaks are inclusion methods, leak techniques, and detectable differences.

After creating a model based on the above, the researchers found 34 XS-Leaks, 14 of which were novel (marked with a plus sign below).

All of the XS-Leaks identified in the study.Source: XSinator

Next, they tested the 34 XS-Leaks against 56 combinations of browsers and operating systems to determine how vulnerable each of them was.

Then they built a web application named XSinator, consisting of three components:

A testing site that acts as the attacker page, implementing known and novel X-Leaks
A vulnerable web app that simulates the behavior of a state-dependent resource.
A database containing all previous test results.

You can visit the XSinator page yourself and run the test to see how well your web browser and OS fare against the 34 X-Leaks.

You can find a full list of XS-leaks that various browsers are vulnerable to below:

How to defend against X-Leaks

Mitigating or addressing the risks that arise from these side-channel attacks need to be resolved by browser developers.

Researchers suggest denying all event handler messages, minimizing error message occurrences, applying global limit restrictions, and creating a new history property when redirection occurs.

2021 National College Fed Challenge Winner presentation (Pace University)

The Snowflake Mystery

Russian Banker Complains To Putin: I Don't Have Smartphone And I'm On US...

VIOLENTLY MEDIOCRE IN BROADBAND: Report from Karl Bode (writing in TechDirt)

Here ya go - read it, all of it

Report: U.S. Has 9th Most Expensive Broadband On The Planet

Broadband

from the great-job-everybody dept

Thu, Dec 2nd 2021 5:33am — Karl Bode

We've long illustrated how U.S. broadband is dominated by regional monopolies, which, in turn, are often coddled by state and federal governments (aka corruption). That broken market (and regulatory capture) results in all manner of problems, from spotty coverage and slow speeds, to repeated privacy violations, net neutrality violations, and some of the worst customer service of any industry in America (no small feat if you think about it).

Of course, it also results in the U.S. having some of the most expensive broadband anywhere. A new report by CompareThe Market finds that U.S. broadband is the 9th most expensive country for broadband in the world, with people paying an average of $66.13 USD per month. That's in line with prices paid in such countries like Honduras and Guatemala:

>> Keep in mind most of these data analysis efforts don't include hidden fees, usage caps, and broadband overage surcharges, meaning the amount Americans actually pay is usually significantly higher than what's represented here.

Like so many reports, the data breakdown just dumps this information at the readers' feet without explaining why U.S. broadband consistently ranks among the worst broadband nations in the world (whether we're talking about speed, price, or availability). And while for years the industry (and those paid to apologize for regional monopolization) tried to argue that it was simply because the U.S. was so big or because U.S. ISPs are saddled with too much regulation, that's never been true. The U.S. broadband market isn't free. It's heavily monopolized and overseen by corrupt policymakers (regulatory capture).

In 2021 the issue is no longer geography, or even technology. It's the fact that we've let a handful of giant telecom and cable monopolies not only cordon off regional fiefdoms, but all but dictate both state and federal telecom policy the vast majority of the time (including literally writing state laws and local ordinances). Instead of tackling this problem head on, feckless U.S. policy makers (enabled by a lazy and timid press) generally mumble about the causation free "digital divide," then repeatedly just throw more money at the problem.

When that doesn't work, everybody just shrugs and repeats the process the next time data shows the U.S. continues to be violently mediocre in broadband. There's a vast coalition of well-funded organizations, individuals, think tanks, consultants, and companies tasked with ensuring this dynamic never actually changes.

As the data repeatedly attests, they've been winning that fight for the better part of a generation now."

Filed Under: broadband, competition, fcc, monopolies, us

MesaZona > Table of Contents : Here's The Menu. Enjoy