New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 74987: Time-base attack. Cross-domain cache track.

Reported by d0z...@gmail.com, Mar 4 2011

Issue description

VULNERABILITY DETAILS
Not checking the domain from which to download the file to match the same domain from which the file was obtained earlier in the cache

VERSION
Chrome Version: [9.0.597.107] + [stable]
Operating System: All

REPRODUCTION CASE
1. Replace i.src property of attached HTML to page, whose presence in the cache you want to check
2. Clear cache.
3. Visit to page, whose presence in the cache you want to check.
4. Run attached HTML from anywhere. Track the time.
5. Clear cache.
6. Run attached HTML from anywhere. Compare the times. 

Especially well noticeable difference for large pages.

Thus, a remote attacker can check the cache files.
 
cache-check.html
504 bytes View Download

Comment 1 by scarybea...@gmail.com, Mar 4 2011

Michal, isn't this of the general cross-browser unsolved info leaks, documented in the Browser Security Handbook?

Comment 2 by lcam...@gmail.com, Mar 5 2011

Yes, "cache timing" and "general resource timing" in:

http://code.google.com/p/browsersec/wiki/Part2#Privacy-related_side_channels

I would be surprised if we want to fix it, especially given:

http://test.w3.org/webperf/specs/NavigationTiming/

Comment 3 by scarybea...@gmail.com, Mar 5 2011

Status: WontFix
Thanks, Michal.

Another reference, for the worst I've personally found with browser timing attacks, is:
http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html

Careful use of incognito mode should help with both.

Comment 4 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security

Comment 5 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 6 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security Type-Bug-Security

Comment 7 by bugdroid1@chromium.org, Mar 11 2013

Project Member
Labels: -Area-Undefined

Comment 8 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 9 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityTeam
Bulk release of old security bug reports.

Comment 10 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.

Comment 11 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 12 by elawrence@chromium.org, Aug 8 2017

 Issue 750998  has been merged into this issue.

Comment 13 by elawrence@chromium.org, Feb 27 2018

 Issue 817028  has been merged into this issue.

Comment 14 by msramek@chromium.org, Sep 28

 Issue 889598  has been merged into this issue.

Comment 15 by horo@chromium.org, Dec 7

Issue 911307 has been merged into this issue.

Sign in to add a comment