CybersecurityNew techniques expose your browsing history to attackers

Security researchers at UC San Diego and Stanford have discovered four new ways to expose Internet users’ browsing histories. These techniques could be used by hackers to learn which websites users have visited as they surf the web.

The techniques fall into the category of “history sniffing” attacks, a concept dating back to the early 2000s. But the attacks demonstrated by the researchers at the 2018 USENIX Workshop on Offensive Technologies (WOOT) in Baltimore can profile or ‘fingerprint’ a user’s online activity in a matter of seconds, and work across recent versions of major web browsers.

UCSD notes that all of the attacks the researchers developed in their WOOT 2018 paper worked on Google Chrome. Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers. The only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place.

“My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data, and I’m happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this,” said Deian Stefan, an assistant professor in computer science at the Jacobs School of Engineering at UC San Diego and the paper’s senior author.

“History sniffing”: smelling out your trail across the web
Most Internet users are by now familiar with “phishing;” cyber-criminals build fake websites which mimic, say, banks, to trick them into entering their login details. The more the phisher can learn about their potential victim, the more likely the con is to succeed. For example, a Chase customer is much more likely to be fooled when presented with a fake Chase login page than if the phisher pretends to be Bank of America.