Researchers found that it is possible to monitor browser users even with JavaScript disabled

A group of scientists from Ben-Gurion University (Israel), the University of Adelaide (Australia) and the University of Michigan (USA) have found that it is possible to monitor browser users even if JavaScript is disabled.

Scientists presented a research paper named “Prime + Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses” on side-channel attacks with the use of browsers.

Let me remind you that we also wrote that Mozilla researchers say browser history is enough to identify a user.

In their report, the researchers demonstrate that side-channel attacks on browsers are still possible, despite the best efforts of manufacturers and all measures to eliminate them. Worse, these attacks even work on secure privacy-focused browsers that have been specifically protected against Specter attacks, including the Tor browser, Chrome with the Chrome Zero extension, and Firefox with the DeterFox extension.

“Even with JavaScript completely disabled, a side-channel attack based solely on HTML and CSS can also leak enough data from the browser. Such a leak (even without JS) is enough to identify and track users with slightly less accuracy, determining, for example, which sites a person has visited”, – experts write.

At the same time, the report emphasizes that the attacks were tested not only against browsers running on systems with Intel processors (which in the past were most often vulnerable to side-channel attacks), but also against browsers running on systems with Samsung Exynos, AMD processors, Ryzen and even Apple’s new M1 chip.

As a result, this study was the first time, when a side-channel attack worked against an Apple M1.

Experts say they have notified engineers at Intel, AMD, Apple, Chrome and Mozilla of their findings prior to the publication of the research paper, but it is not said what responses they received from the manufacturers.

It’s worth noting that Google Chrome recently admitted that even with the new Site Isolation feature, side-channel attacks in modern browsers cannot be completely blocked.

Also, Google engineers said that side-channel attacks will soon no longer need JavaScript and will only be carried out using CSS. To guard against such problems, they urged developers to rethink their approach to building sites and handling data.

We also talked about that Israeli researchers presented a new way to steal data from physically isolated systems.