Cache attack could reveal people's online tracks

Measuring the time taken to access data, Princeton researchers find it's possible to trace which sites a person has recently visited.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A technique that exploits the way Web browsers store recently viewed data could compromise Internet users' privacy by allowing an attacker to check what sites a person has visited recently.

The exploit--called a "timing attack"--allows an unethical Web site to play 20 questions (or more) with a person's browser and check whether the surfer has recently viewed any sites from a predetermined list.

An employer could use the technique on internal Web sites to see whether any employees have been visiting the competition's job listings. A Web portal could check whether a person has recently visited any of its sponsors.

"The attacks allow any Web site to determine whether or not each visitor has recently visited some other site" or set of sites, Edward Felten, a professor of computer science at Princeton University, and Michael Schneider, a graduate student, wrote in a paper published at a technical conference last month.

"The attacker can do this without the knowledge or consent of either the user or the other site," they wrote.

The attack takes advantage of the data caches used by browsers to speed access to recently visited Web sites.

Caching is a technique that stores copies of frequently accessed data in a nearby location, whether on a person's PC or on a server on the local area network. The ability to store recently viewed items significantly reduces the amount of data that has to move over the Internet.

How big a threat?
While the two researchers worry that the technique could be a threat to people's privacy, Richard Smith, chief technology officer of the nonprofit Privacy Foundation, said that the attack was more technically interesting than threatening.

"In theory, it might offer some problems for privacy," he said. "Time magazine could find out if you go to Newsweek and give you a better offer--seems unlikely, though.

"But it is interesting," he added. "It shows how subtle these things can be."

What worries Felten and Schneider is the technique's efficiency.

By measuring how long it takes for a person's browser to load in a page element--say, a graphic or a file--from another site, an attacker can determine if the element is in the person's cache. If so, that means the person recently visited that other site.

For example, if the Webmaster of A.com wants to see whether visitors have been to competitor Z.com, he would pick a cacheable Web element unique to Z.com--say, the logo. The Webmaster can then write a Java or JavaScript applet that measures the time it takes to access the file. That program would be embedded in the pages of A.com.

When a surfer visits A.com, his or her browser would download the applet and attempt to access the file from Z.com. If the file is in the cache, the browser can quickly access it. Otherwise, it has to pull down the file from the Web, and that takes longer.

The technique can quite accurately gauge whether a site has recently been accessed by any visitor.

Felten and Schneider found that using a Java or JavaScript applet resulted in accuracy rates of greater than 98 percent. If the browser has those features turned off, then a second method of successive HTML calls can accurately gauge whether a person has visited a particular site about 94 percent of the time.

Because Java and JavaScript are not necessary, and switching off caching leads to unacceptable performance degradation, "there seems to be little hope that effective countermeasures will be developed and deployed any time soon," Felten and Schneider wrote.