Attackers are able to extract access tokens and other data in seconds

Certain jQuery code used by many websites could allow an attacker to steal information through a cross-domain side-channel attack, a security researcher has warned.

The timing attack, which utilizes a common jQuery CSS selector, would mean an attacker could extract access tokens, usernames, or passwords by exploiting the time it takes to execute a certain operation such as the :has() selector in jQuery.

The :has() jQuery CSS selector allows a website operator to find specific HTML elements within a webpage – but by using it, an operator can also cause a delay.

The browser evaluates the selector from right to left in order to determine if an element exists with the value tested.

This can lead to a noticeable delay when it does exist, but won't cause a delay if it doesn't.

An attacker is able to mirror this process and measure the performative difference in order to indirectly access information – a technique that is mostly used to compromise cryptography systems.

“The victim site and attacker site both run in the same thread, so a long-running JavaScript process on the victim site will block execution on the attacker site,” said Sigurd Kolltveit, the security researcher who outlined the exploit in a recent blog post, citing previous work on web-based timing attacks by Eduardo Vela.

“This gives us a way to detect when a selector is spending a long time executing.”

Kolltveit released a proof of concept of the exploit which saw an authenticity token extracted in just 16 seconds.

Websites should consider not using user input inside jQuery selectors or strictly filtering the input before passing it to the selector, Kolltveit said, adding that X-Frame Options would not amount to an appropriate defense.