Cache probing attack exposes sensitive information

XS-Leak vulnerability exploited in key Google services

Google has implemented new security measures across several key services after it was revealed that user information could be leaked through browser side-channel attacks.

Security researcher @terjanq recently disclosed that personal data across multiple products owned by the Mountain View tech giant were susceptible to cache probing attacks – a way of exploiting a cross-site leak (XS-Leak) vulnerability.

At-risk information included a user’s search history, private emails, tokens and credit card numbers, contacts, books read, and generally most data that’s fed into Google-owned websites.

Services affected included Gmail, Google Search, Google Search, Google Bookmarks, My Activity, and YouTube, among others.

“A regular user of Google Products can have their sensitive information exposed when visiting a malicious website,” @terjanq explained in a report to Google sent in February.

XS-Leak: Circumventing same-origin policy

An XS-Leak takes advantage of a browser side-channel in order to exploit websites that are normally protected from cross-site scripting (XSS). The result, in some situations, can have the same impact as an XSS vulnerability.

The area has spawned various techniques for circumventing the same-origin policy, including measuring the time it takes for a website to respond to HTTP requests – an attack within the XS-Leak family called cross-site search (XS-Search).

Another technique, explored by @terjanq on Google endpoints, relies on removing a specific resource from a browser’s cache through a malicious website.

Sending a POST request to the resource or an overlong HTTP referrer are two ways an attacker can remove the item from the cache.

“The malicious website forces the user to search in the background for a controlled by the attacker phrases, which for example can be done by using manipulation of window.opener,” said @terjanq in a blog post published on Tuesday (November 12).

“The checks if the resource has been loaded by probing if the resource was loaded from the browser cache.”

Google implemented several protections following the disclosure of these vulnerabilities and others within the XS-Leak family, @terjanq said.

This has included measures aimed at having minimal impact on web functionality such as Fetch Metadata Request Headers, Cross-Origin-Opener-Policy, Chrome XSS Auditor removal, and partitioning the HTTP cache.

RELATED New XS-Leak techniques reveal fresh ways to expose user information