Watch Out! 2 New Browser Security Holes Causing Deanonymization of Users2 min read
Among the most important human needs is security. According to Maslow’s hierarchy of needs, safety needs are second only to food and shelter, and nowadays, they include secure internet surfing, too. That’s why our news may discompose you, but we can’t keep it under our hat.
In August 16-18, 2017, the Proceedings of the 26th USENIX Security Symposium were hosted in Vancouver, BC, Canada. A group of speakers from the University of Deusto set before an important topic – Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. The main idea is that there are 2 security holes in modern popular browsers which have to do with web extensions. Unfortunately, these holes affect VPN users as well.
How does it work?
Time zips along and cyber criminals moved to the next level. Currently, they can figure out which extensions you have in your browsers. Wonder how they do that? By comparing different IP’s (with and without a VPN), finding similarities in their browser extensions, and, as a result, deanonymizing you. That’s how they can define your identity. Now let’s puzzle out what these breaches are.
Hole №1. API WebExtensions bug
Firstly, if you are out of subject, WebExtension is a cross-browser system for developing extensions. This is the kind of program in browsers like Google Chrome, Opera, Comodo Dragon, Edge, Vivaldi, and Firefox. One of its files is manifest.json, which controls access to the web extensions that you have. The tricky point is that if the browser has a Chromium Web Extensions API, the latter needs less time to answer the web browser’s request about the aforementioned plug-in. For instance, if you have an extension, it will take about 1 second, and if you don’t – about 3 seconds. These requests look like the following:
This way, comparing requests and time differences, hackers may know which of extensions your browser has. Even the old Firefox API, based on XML, has this hole. Moreover, Firefox covered a special error code for such requests which just facilitates execution of the task for hackers.
This way, by comparing requests and time differences, hackers may know which of extensions your browser has. Even the old Firefox API, based on XML, has this hole. Moreover, Firefox assigned a special error code for such requests, which further facilitates execution of the task for hackers.
Hole №2. Safari and random URI
Even though Safari doesn’t use manifest.json, Apple developers utilized an approach of random URI generating for each new browser session. This doesn’t make the situation much better, because malefactors may simply guess the right extensions combination. It happens when your extensions inject additional content and notification panels on a website. As a result, such generated content unintentionally leads to the random URI getting compromised.
Unfortunately, this leakage may reveal all extensions you have and can be used by third parties to identify you. The only thing cyber criminals have to do is to retrieve the URI address from the code injected by the extension and generate a new random one. According to testing, it’s not that hard, even simple bruteforcing succeeds about 40,5% of the time.
We care about our customers, that’s why we are sure that you should know about such a lion in the path. While developers of mentioned browsers are trying to fix this issue in both current and future versions, stay tuned to the VPN Unlimited blog and we will keep you updated on this and similar topics.