Maybe you’ve heard it before - HTML 5 brings a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and interesting side effects.
Traditionally, browser timing attacks involve cache or network timing. In this presentation, I’ll introduce a number of new techniques that perform timing attacks on graphics operations involving CSS and SVG to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you’re logged into. I’ll also take a look at the difficulties involved in fixing these types of vulnerabilities.
Paul (@pdjstone) Stone's talk shows novel ways of extracting data across origin-borders using timing attacks - with SVG and other technologies. One might want to deploy additional HTTP headers after watching this outstanding presentation.