Pixel-Perfect Timing Attacks with HTML5

Presented at Black Hat USA 2013, July 31, 2013, 5 p.m. (30 minutes).

Maybe you've heard it before - HTML 5 and related technologies bring a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and dangerous side effects.

In this presentation, I'll introduce a number of new techniques that use JavaScript-based timing attacks to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you're logged into. I'll also take a look at the difficulties involved in fixing these types of vulnerabilities.


Presenters:

  • Paul Stone - Context Information Security
    Paul is a senior consultant for Context Information Security in the UK where he performs security research, penetration testing and tool development. He has a focus on web application and browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox and Safari. He has previously spoken at Blackhat Europe, presenting the well-received 'Next Generation Clickjacking' talk. Last year, Paul published research on his cross-browser Framesniffing technique.

Links:

Similar Presentations: