What Is Your Browser Doing Behind Your Back?

Wednesday, October 09, 2013

Kyle Adams


Browsers have become extremely complex over the last few years, so does everyone fully understand everything a modern browser does?  Of course everyone is familiar with the point and click, redirections, forms . . . normal Web stuff.  What you might not know, is that your browser does a lot of things automatically without you asking it to.  These “helpful” features represent potential security risks, and it’s important that you are at least aware of them, so you can adjust your browsing behavior accordingly.

Behind Your Browser.jpg


The Trouble with Some Browser Optimizations


Modern browsers have a lot of optimizations to make sure your pages load quickly.  A few of the most interesting—and potentially harmful—optimizations are little known, but can represent serious breaches in privacy or undesired actions being taken without your knowledge.  Not necessarily because you are targeted by an attacker, but because you’re not aware that your browser is doing these things in the background.  


A few of these include:


1) DNS prefetching. DNS prefetching is a feature of most browsers that will look at all the links on a page, and automatically pre-resolve the DNS record.  In other words, it will look up the IP address those links point to so that when you click on them, it already knows where to send you.  However, if an attacker puts a hidden link on a page that points to their own domain and sets up his own DNS server, he can actually be notified when you view the page and get your IP address—even if you never click the link. This is bad especially in the case of emails and forums.  If an attacker puts a link in an email that used this technique, he can basically be notified when you read the email (without you being able to stop it).  Some webmail clients protect from this type of leak, but not all.


2) Page prefetching. In some browsers, most notably Chrome, when you type an address into the URL bar, it will actually go request the page before you finish typing.  In this way, the target server can tell what you type as you type it and, in some cases, it can accidentally request a page that causes some adverse action on the user.  For example, it might request the URL that deletes your account, even though you wanted a different URL that started with the same characters (an unlikely example, but hopefully you get the point).  So as you type, your account would get inadvertently deleted, and when you finish typing the full URL, your account won’t exist anymore.


3) Session Cookies.  Some browsers, most notably Chrome, do not delete session cookies when you clear your cookies.  This means that even if you clear your cookies, sites can still keep tracking you until you close your browser.  Most other browsers delete session cookies when you clear all cookies, so this behavior is somewhat unintuitive and unexpected.  It is something users should be aware of.


4) Plugins.  Many useful plugins exist for most browsers, but each plugin operates with an immense amount of privileges. They can look at everything you do, mess with content on your system, and make requests without you knowing. A great example is the plugins commonly shipped with antivirus applications. These plugins are designed to warn you when you visit a malicious page. However, in order for the AV vendor to know you’re visiting a malicious page, they need to know every page you do visit. This means that as you browse the Internet, the entire sum of your Internet activity is being silently shipped to a third party. Usually it’s a fairly trustworthy entity the data is being sent to, so not too much concern there, but if that company ever gets breached, it’s possible your entire browsing history (even after you clear it locally) would be exposed to the attacker. Worse yet, some of these plugins don’t bother encrypting such data, so it gets sent around in cleartext for anyone sniffing Wi-Fi traffic to look at. Users should be EXTREMELY cautious as to which plugins they install, and should make sure they understand what the plugin does in the background.


About the Author: Kyle Adams is the Chief Software Architect for the Junos WebApp Secure product within Juniper Networks. With more than 10 years of experience in web application development and security, he is responsible for designing and implementing many of the attacker-detection techniques and countermeasures used within the product. Kyle holds a B.S. in computer science from the Rochester Institute of Technology, as well as a minor in criminal justice. Prior to Junos WebApp Secure, he worked as a web application and security consultant on more than 70 diverse, web-based projects in a broad range of industries. Kyle is also a member of the OWASP organization and has presented at several OWASP events; he has also provided technical insight on public breaches for a variety of news publications.


Cross Posted from Juniper Networks


Possibly Related Articles:
Security browsers DNS prefetching Session Cookies
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.