Precision Timing - Attacking browser privacy with SVG and CSS
Maybe you’ve heard it before - HTML 5 brings a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and interesting side effects.
Traditionally, browser timing attacks involve cache or network timing. In this presentation, I’ll introduce a number of new techniques that perform timing attacks on graphics operations involving CSS and SVG to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you’re logged into. I’ll also take a look at the difficulties involved in fixing these types of vulnerabilities.
Paul (@pdjstone) Stone's talk shows novel ways of extracting data across origin-borders using timing attacks - with SVG and other technologies. One might want to deploy additional HTTP headers after watching this outstanding presentation.
Remove this from your schedule?
This session is full and you may not be able to get back in.