Cross-origin pixel stealing: timing attacks using CSS filters

Abstract

Timing attacks rely on systems taking varying amounts of time to process different input values. This is usually the result of either conditional branching in code or differences in input size. Using CSS default filters, we have discovered a variety of timing attacks that work in multiple browsers and devices. The first attack exploits differences in time taken to render various DOM trees. This knowledge can be used to determine boolean values such as whether or not a user has an account with a particular website. Second, we introduce pixel stealing. Pixel stealing attacks can be used to sniff user history and read text tokens.

DOI: 10.1145/2508859.2516712

Extracted Key Phrases

7 Figures and Tables

051015201520162017
Citations per Year

Citation Velocity: 9

Averaging 9 citations per year over the last 3 years.

Learn more about how we calculate this metric in our FAQ.

Cite this paper

@inproceedings{Kotcher2013CrossoriginPS, title={Cross-origin pixel stealing: timing attacks using CSS filters}, author={Robert Kotcher and Yutong Pei and Pranjal Jumde and Collin Jackson}, booktitle={ACM Conference on Computer and Communications Security}, year={2013} }