Latest addition to family of side-channel attacks offers a new way of detecting redirects cross-domain

New XS-Leak exploit abuses browser redirect limitations to break user privacy

A new way to perform an XS-Leak side-channel attack has been disclosed.

According to Luan Herrera, a researcher and bug bounty hunter with a particular interest in client-side, browser, and extension vulnerabilities, redirect hops can be abused to trigger cross-site leaks.

Published on January 29, the researcher’s slides, available in Google Docs and named ‘XS-Leaks in redirect flows’, relate to a talk Herrera gave at the XS-Leaks Summit earlier this year.

The research focuses on the XS-Leak family of browser side-channel attacks that can be used to glean important information from a system, bypassing existing security measures to leak sensitive user data.

XS-Leak methods rely on measuring the network timing of responses to gather data about website visitors by abusing the communication channels which allow websites and services to communicate with each other in order to piece together a profile of a user or system.

Playing fetch

Herrera told The Daily Swig that while “slightly” redacted in the slides, the “novel” technique “demonstrates how it is possible to abuse a limitation in the Fetch specification”.

The Fetch specification is a way for websites to call resources. A limit is set at 20 redirect hops before a network error is displayed.

Due to this limit, attackers could count how many redirect hops happen in a cross-origin redirect by triggering redirects before reaching a victim endpoint, measuring network responses and potentially exposing URL list sizes.

Browser defenses

There are a number of ways to detect and defend against cross-origin redirects that can be used to trigger side-channel attacks, including using SameSite cookies, COOP, and framing protections.

Vendors are also tackling the issue. Google, for example, is working on Site Isolation in Chrome to reduce the amount of information potentially exposed in a side-channel attack.

Herrera said that “prevention of this attack happens in the same way of other common XS-Leaks mitigations ¬– [such as] through the use of SameSite cookies in Lax or Strict mode, [or] Fetch Metadata”.

A discussion is currently underway on GitHub concerning whether or not to change the Fetch specification and limit values to mitigate this attack vector.


Read more of the latest browser security news


In related news, back in September Herrera described the results of a challenge to trigger an XSS-based attack with limited influence from JavaScript code.

Google information security engineer ‘terjanq’ has also performed interesting research into the XS-Leak family.

In November 2019, the researcher described how a cache probing attack could be launched against a select group of Google products, leading to the leak of information including email addresses, tokens, and credit card numbers.


RELATED Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’