JavaScript apps disclose ‘more information than they disguise’

An automated fingerprinting tool can exploit two new side-channel attacks to leak browser information through JavaScript, researchers have revealed.

A team from Austria’s Graz University of Technology have uncovered a way of gathering large amounts of information about a target browser via JavaScript.

The technique involves collecting all data available to the JavaScript engine and using it to create a fingerprint that can be used to uniquely identify a browser, and therefore a user.

Exposed information includes the underlying operating system, CPU architecture, information about privacy-enhancing plugins, and the exact browser version being used.

Used in conjunction with two new side-channel exploits, an attacker to gain even more information.

The tool reveals information sets similar to those exposed by the Electronic Frontier Foundation’s Panopticlick tool, Michael Schwarz tells The Daily Swig, but with some additions – certain privacy extensions, for example, can be found automatically rather than manually.

In their paper titled JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits (PDF), Schwarz, Florian Lackner, and Daniel Gruss say their discovery shows that browser privacy extensions – largely built using JavaScript – ‘can leak more information than they disguise and can even be semi-automatically circumvented’.

The two new side-channel attacks detect the instruction-set architecture and the memory allocator being used. These differences can then be used to deduce further information about the system, software, and hardware.

“As a result, we cannot only ease the creation of fingerprints, but we gain the advantage of having a more precise picture for targeted exploitation,” the researchers write.

The approach effectively automates the search for differences by using all the data available to the JavaScript engine and building templates from these properties.

“If a property of such a template stays the same on one system but differs on a different system, we found an environment-dependent property,” they explain.

The exploit was effective with Firefox, Chrome, Edge, and Tor for mobile.

“For major browsers, it is often more important to provide functionality and convenience rather than privacy,” says Schwarz, who is calling on browser makers to take the findings into account.

As the authors point out, their findings have implications not only for criminals but also for whistleblowers and activists who may have less protection than they believe.

“Luckily, there are extensions for privacy-concerned users which can help prevent fingerprinting to a certain degree,” says Schwarz.

“As most fingerprinting techniques rely on JavaScript, disabling or blocking JavaScript reduces the amount of information the browser provides significantly.”

Tor, he points out, blocks JavaScript by default, along with other anti-fingerprinting techniques. “The Tor browser tries to actively prevent fingerprinting and does a really good job,” he suggests.

The open source tool can be found on GitHub.