timing_attacks

HTML 5 and related technologies bring a whole slew of new features to web browsers, some of which can be a threat to security and privacy. This paper describes a number of new timing attack techniques that can be used by a malicious web page to steal sensitive data from modern web browsers, breaking cross-origin restrictions.

The new HTML5 request AnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. Two techniques are demonstrated which use this API to exploit timing attacks against Chrome, Internet Explorer and Firefox in order to infer browsing history and read cross-origin data from other websites. The first technique allows the browser history to be sniffed by detecting redraw events. The second shows how SVG filters can be used to read pixel values from a web page. This allows pixels from cross-origin iframes to be read using an OCR-style technique to obtain sensitive data from websites.

Read the white paper

Explore More

Critical XSS Vulnerability in The New Era Journal http://www.khitpyaing.org

PlanetCreator.Net’s Security Team Member has reported another critical XSS vulnerability on http://www.khitpyaing.org These are some information from Vulneral Site http://www.khitpyaing.org: This vulnerability has been alerted to webmaster: [email protected] Vulnerability Link

Read More

Malaysia Government DBKL Web Vulnerability (2nd)

PlanetCreator has reported Critical XSS vulnerability on Official Portal of Kuala Lumpur, Malaysia Web Site, http://www.planetcreator.net/2009/09/criti…aysia-web-site/ and http://www.xssed.com/mirror/64058/ but nobody takes action ~~~ How come? Hello, DBKL’s Staffs! Are you

Read More

What Damage Can Hackers Do?

Hackers like to subvert computer security without permission. They are cyber criminals. This can mean gaining access to a computer across the Internet for illicit purposes. They might engage in

Read More