Research Discovers 14 New Internet Browser Data Theft Attacks

Digital security researchers from the Niederrhein University of Applied Sciences and the University of Bochum have discovered 14 new variants of so-called cross-site leak attacks, used for data collection, that affect web browsers such as Google Chrome, Microsoft Edge, Safari, and Internet Mozilla Firefox.

Cross-site leak attacks, known as XS-leaks, are carried out by abusing existing mechanisms in browsers and websites, such as reading cookies, which allow one address to interact with another. With this, malicious pages can break the same origin policy, used by most browsers to prevent data leakage.

These attacks can result, for example, in messages leaking from an email account that is open in another browser tab where the website affected by the threat is open.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!

In total, the search identified 34 XS-leaks, 14 of which were unpublished. The identification of threats was carried out based on the evaluation of how they communicated and collected data from other websites opened in the same browser where they were acting.

The researchers provided the list of failures and which browsers are affected, which can be seen below:

preventing failure

In addition to testing in different browser combinations, the researchers also created a publicly available web application called XSinator, which has three components, for users to assess the level of risk they are running if they come across a site affected by XS-leaks:

• A testing site that acts like the threat, using new and old vulnerabilities;
• A vulnerable website that simulates government resource pages;
• A database of all previous XSinator test results.

As for full protection against XS-leaks, the researchers say the flaws should be fixed by browser developers. On the part of users, prevention can be done using browsers that allow third-party cookies to be disabled, such as Google Chrome.