A proof of concept for an interesting new intelligence gathering technique has surfaced recently. Researcher Yan Zhu presented the procedure (some language may offend), known as Sniffly*, at ToorCon 2015.
In theory, the Sniffly attack (for want of a better word) could allow the owner of a website to gain some insight into other sites that the browser has visited.
The Sniffly Attack
A user browses to a Sniffly website, which, for the purposes of this explanation, we assume is a malicious website using the Sniffly technique. We have no reason to believe that the proof of concept website is in any way malicious, but any decision to track down and visit it is your own.
The malicious Sniffly website includes images from third party sites that the attacker is interested in, loaded via HTTP. For the technique to work these third party websites need to be enforcing HSTS (HTTP Strict Transport Security) meaning they will only allow connections via HTTPS, any incoming HTTP connections will be redirected to HTTPS.
The Sniffly website applies a Content Security Policy, that only allows images via HTTP.
Initial requests for images via HTTP fail due to the third party websites’ implementation of HSTS, and instead redirect the requests to load via HTTPS. However, these subsequent requests for the images via HTTPS fail due to the Sniffly site’s CSP.
Here’s where the clever bit happens. When the CSP blocks the image, it can return some information regarding how long the HTTP/HTTPS redirection took via its “onerror” handler. If the process happened quickly (around one millisecond) it’s possible to surmise that the HSTS information had been cached by the browser, and the site had been visited before. If the redirection takes longer, around 100 milliseconds, the browser probably attempted a network request, meaning it may not have been used to visit the website previously (at least not recently).
But is it Practical?
It appears that the process can currently be tripped up by HTTPS Everywhere, or ad-blocking browser extensions. Additionally, in many situations, there may be easier ways for an attacker to collect such data. Even so, it’s interesting to consider novel tracking techniques and the ways in which they could be (ab)used.
One could imagine, for example, a phishing page in the form of a popular social media website. That phishing website could be used steal user credentials (most likely including an email address), and collect a list of other sites that the browser visited. Assuming that one or more of those sites is potentially embarrassing, the attacker could then issue a ransom demand to the victim, threatening to post the list to the social media account that they have now taken control of. The user panics, because at least some of the information is true, and pays up.
Granted, this example is slightly convoluted, we’ll just have to wait and see if, and how, Sniffly crops up in the wild.
Sniffly – so named because it ‘sniffs’ data, and she was coming down with a cold at the time. Hey, we’ve heard worse.