XS-Leaks in Modern Browsers

Researchers have discovered 14 new types of cross-site data leakage attacks against a number of modern web browsers, including Tor Browser, Mozilla Firefox, Google Chrome, Microsoft Edge, Apple Safari, and Opera, known as “XS-Leaks,” the browser bugs enable a malicious website to harvest personal data from its visitors as they interact with other websites in the background without the targets’ knowledge.

XS-Leaks bypass the so-called same-origin policy, one of a browser’s main defences against various types of attacks.The purpose of the same-origin policy is to prevent information from being stolen from a trusted website. Attackers can nevertheless recognize individual, small details of a website. If these details are tied to personal data, those data can be leaked.

Stemming from side-channels built into the web platform that permits an attacker to gather this data from a cross-origin HTTP resource, the cross-site bugs impact an array of popular browsers such as Tor, Chrome, Edge, Opera, Safari Firefox, Samsung Internet, spanning across different operating systems Windows, macOS, Android, and iOS.

The new class of vulnerabilities is also different from a cross-site request forgery (CSRF) attack in that unlike the latter, which exploits a web application’s trust in a browser client to execute unintended actions on behalf of the user, they can be weaponized to infer information about a user.

XS-Leaks take advantage of small pieces of information which are exposed during interactions between websites to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected.

The core idea is that while websites are not allowed to directly access data on other websites because of same origin constraints, a rogue online portal can attempt to load a specific resource or an API endpoint from a website, say, an online banking website, on the user’s browser and draw inferences about the victim’s transaction history.

As mitigations, denying all event handler messages, minimizing error message occurrences, applying global limit restrictions, and creating a new history property when redirection occurs. At the end-user side, turning on first-party isolation as well as Enhanced Tracking Prevention in Firefox have been found to decrease the applicability of XS-Leaks. Intelligent Tracking Prevention in Safari, which blocks third-party cookies by default, also prevents all leaks that are not based on a pop-up.

Oftentimes applications are vulnerable to some cross-site information leaks without having done anything wrong. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites.