Personal data can be accessed on the internet via so-called XS-Leaks. A large number of browsers are affected.

Cross-site leaks, or XS-Leaks, are 14 new types of attacks against web browsers uncovered by IT security specialists. A rogue website can use XS-Leaks to steal personal information from visitors by connecting with other websites in the background.

Ruhr-Universität Bochum (RUB) and Niederrhein University of Applied Sciences researchers investigated how well 56 browser and operating system combinations protect against 34 different XS-Leaks. To this goal, they created the website, which allowed them to check browsers for these flaws automatically. A vast number of XS-Leaks were discovered in popular browsers such as Chrome and Firefox. “XS-Leaks are frequently browser problems that the manufacturer must correct,” says Lukas Knittel, one of the paper’s Bochum authors.

The findings were presented online and at the “ACM Conference on Computer and Communications Security,” which was held virtually in mid-November 2021. Professor Marcus Niemietz of the Niederrhein University of Applied Sciences and Lukas Knittel, Dr. Christian Mainka, Dominik Noß, and Professor Jörg Schwenk of the Horst Görtz Institute for IT-Security at RUB received a Best Paper Award for their study at the conference. The research was conducted as part of the “CASA – Cyber Security in the Age of Large-Scale Adversaries” Cluster of Excellence.

What is XS-Leaks and how does it work?
The so-called same-origin policy, one of a browser’s key defences against many forms of assaults, is bypassed by XS-Leaks. The same-origin policy is in place to prevent data from being taken from a trustworthy website. Attackers can still recognise individual, minor features of a website in the case of XS-Leaks. If these details are linked to personal information, that information may be exposed. Emails in a webmail inbox, for example, could be viewed from a malicious site because the search tool reacts differently depending on whether or not there are results for a search word.

Searching for new attacks in a systematic manner
The researchers first identified three features of XS-Leaks assaults in order to analyse them thoroughly. They then developed a formal model based on these that helps with comprehending XS-Leaks and detecting future assaults, among other things. The researchers came up with 14 new assault categories as a result of their findings.

Chat WhatsApp