Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome
Authors: Sioli O'Connell , Lishay Aben Sour , Ron Magen , Daniel Genkin , Yossi Oren , Hovav Shacham , Yuval Yarom
Venue: 33rd USENIX Security Symposium, 2024 (to appear)
Abstract
Pixel-stealing attacks provide a malicious website with access to web content belonging to a victim website, overcoming cross-origin web isolation. They pose a major challenge to web user privacy. Filter-based attacks are one form of this attack class, which exploits a timing side channel due to differences in applying transformations to images, depending on their content. To protect against such attacks, browser vendors have modified filter operations to remove observable timing differences.
In this work we show that this protection is not enough. We mount a cache side-channel attack with a high spatial resolution and show how a web-based attacker can monitor data-dependent memory accesses of a filter rendering function. Our attack is faster than prior works and is the first to leak at a rate faster than the screen refresh rate. We demonstrate how our attack can be used to leak text from an embedded web page. We also implement a high-speed history-sniffing attack and show how to further increase the speed of history sniffing under the assumption that the number of visited sites is substantially smaller than the total number of sites queried.
Draft version
Artifact Repository