Change search
ReferencesLink to record
Permanent link

Direct link
Flow stealing: A well-timed redirection attack
KTH, School of Computer Science and Communication (CSC), Theoretical Computer Science, TCS.
2013 (English)In: Journal of Computer Security, ISSN 0926-227X, Vol. 21, no 3, 371-391 p.Article in journal (Refereed) Published
Abstract [en]

In this work, we present a Flow Stealing attack, where a victim's browser is redirected in the middle of a browsing session. We detail two attack scenarios. The first is redirecting the victim's browser as it moves from a store to a payment provider, and the second redirects the victim to a phishing page, when she navigates to one of a set of target sites. A key issue in flow stealing is correctly timing the redirect. The main way to accomplish this is to leverage a history detection attack to test whether the victim has visited a target. By repeatedly polling, an attacker learns when the victim navigates to a tested target page. With this application, we demonstrate that the impact of history detection is greater than previously known. Our primary history detection mechanism is a cache timing attack, measuring the time it takes to load an element to determine if it was served from the browser cache. This attack works with present browser versions. We also discuss CSS history detection, based on detecting the styling of visited links, which has been solved in most browsers. Lastly, we also consider a network-based attacker who can mount a man-in-the-middle attack on the victim's network traffic. We discuss several countermeasures against flow stealing. These include two new proposed policies on JavaScript window navigation which can be implemented by browser vendors. We also present mitigations which can be implemented by individual stores or payment providers.

Place, publisher, year, edition, pages
2013. Vol. 21, no 3, 371-391 p.
Keyword [en]
flow stealing, history detection, Web security
National Category
Computer Science
URN: urn:nbn:se:kth:diva-133872DOI: 10.3233/JCS-130466ScopusID: 2-s2.0-84881458635OAI: diva2:663537

QC 20131112

Available from: 2013-11-12 Created: 2013-11-11 Last updated: 2013-11-12Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Kreitz, Gunnar
By organisation
Theoretical Computer Science, TCS
In the same journal
Journal of Computer Security
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Altmetric score

Total: 25 hits
ReferencesLink to record
Permanent link

Direct link