News

Researchers found that it is possible to monitor browser users even with JavaScript disabled

A group of scientists from Ben-Gurion University (Israel), the University of Adelaide (Australia) and the University of Michigan (USA) have found that it is possible to monitor browser users even if JavaScript is disabled.

Scientists presented a research paper named “Prime + Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses” on side-channel attacks with the use of browsers.

Let me remind you that we also wrote that Mozilla researchers say browser history is enough to identify a user.

In their report, the researchers demonstrate that side-channel attacks on browsers are still possible, despite the best efforts of manufacturers and all measures to eliminate them. Worse, these attacks even work on secure privacy-focused browsers that have been specifically protected against Specter attacks, including the Tor browser, Chrome with the Chrome Zero extension, and Firefox with the DeterFox extension.

“Even with JavaScript completely disabled, a side-channel attack based solely on HTML and CSS can also leak enough data from the browser. Such a leak (even without JS) is enough to identify and track users with slightly less accuracy, determining, for example, which sites a person has visited”, – experts write.

At the same time, the report emphasizes that the attacks were tested not only against browsers running on systems with Intel processors (which in the past were most often vulnerable to side-channel attacks), but also against browsers running on systems with Samsung Exynos, AMD processors, Ryzen and even Apple’s new M1 chip.

As a result, this study was the first time, when a side-channel attack worked against an Apple M1.

Experts say they have notified engineers at Intel, AMD, Apple, Chrome and Mozilla of their findings prior to the publication of the research paper, but it is not said what responses they received from the manufacturers.

It’s worth noting that Google Chrome recently admitted that even with the new Site Isolation feature, side-channel attacks in modern browsers cannot be completely blocked.

Also, Google engineers said that side-channel attacks will soon no longer need JavaScript and will only be carried out using CSS. To guard against such problems, they urged developers to rethink their approach to building sites and handling data.

We also talked about that Israeli researchers presented a new way to steal data from physically isolated systems.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

2 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

2 days ago