Scary stuff. It proves the point that there are infinitely more ways for code to have a vulnerability than can be secured - and a system is only as secure as the weakest link.
Rod

On Mon, 17 Jun 2019 at 12:28, Peter Reutemann <fracpete@waikato.ac.nz> wrote:
'Researchers from Austria's Graz University of Technology "have
devised an automated system for browser profiling using two new side
channel attacks that can help expose information about software and
hardware," reports The Register.

The researchers recently presented a paper titled "JavaScript Template
Attacks: Automatically Inferring Host Information for Targeted
Exploits," which The Register says "calls into question the
effectiveness of anonymized browsing and browser privacy extensions...
"

Long-time Slashdot reader Artem S. Tashkinov shared their report:

One of the side-channel attacks developed for JavaScript Template
Attacks involve measuring runtime differences between two code
snippets to infer the underlying instruction set architecture through
variations in JIT compiler behavior. The other involves measuring
timing differences in the memory allocator to infer the allocated size
of a memory region.

The boffins' exploration of the JavaScript environment reveals not
only the ability to fingerprint via browser version, installed privacy
extension, privacy mode, operating system, device microarchitecture,
and virtual machine, but also the properties of JavaScript objects.
And their research shows there are far more of these than are covered
in official documentation. This means browser fingerprints have the
potential to be far more detailed -- have more data points -- than
they are now.

The Mozilla Developer Network documentation for Firefox, for example,
covers 2,247 browser properties. The researchers were able to capture
15,709. Though not all of these are usable for fingerprinting and some
represent duplicates, they say they found about 10,000 usable
properties for all browsers.'

-- source: https://yro.slashdot.org/story/19/06/16/232241

Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
_______________________________________________
wlug mailing list | wlug@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/mailman/listinfo/wlug