Researchers on Thursday identified 14 new types of cross-site (XS) leaks on popular web browsers such as Chrome and Firefox. Using the XS-Leaks, a malicious web site can grab personal data from site visitors by interacting with other websites in the background.
In a blog post, the research team from Germany-based Ruhr-Universität Bochum (RUB) and Niederrhein University of Applied Sciences, said they tested how well 56 combinations of browsers and operating systems are protected against 34 different XS-Leaks.
The researchers developed the XSinator.com website, which let them automatically scan the browsers for XS-Leaks. According to the researchers, during an XS-Leak, an attacker can recognize individual, small details of a website. If these details are tied to personal data, that data can leak.
After almost two decades, cross-site scripting and XS-Leaks remain among the most common browser deficiencies, said Saryu Nayyar, CEO of Gurucul, who added that cloud technologies can assist in the protection against these type of attacks.
“But they are by no means a panacea,” Nayyar said. “Cloud users typically have security responsibilities that are limited to the application and data. However, cloud providers can’t fix issues with commercial browsers. In reality, both the cloud provider and user have to work together to ensure that the risks of XS-Leaks and cross-site scripting are minimized.”
Garret Grajek, CEO at YouAttest, said that cloud security has evolved as the issue. A browser attack functions as an attacker's ideal conduit to browser resources, Grajek said, adding that by obtaining passwords-credentials, the XS-Leaks browser attack serves as a great first step for hackers to penetrate valued cloud resources.
“What's relevant is that the rapid growth in cloud services spells trouble for enterprises,” Grajek said. “Many of these resources have not been adequately security reviewed in this rush to the cloud. In fact, Gartner predicts that by 2023, 75% of all cloud security breaches will be the result of inadequate permission management. This means the stolen credentials obtained by the XS-Leak attack can obtain access to accounts with excess privileges to valued cloud resources. This is why security teams must adhere to the principle of least privilege for all resources, including cloud resources.”
Miclain Keffeler, application security consultant at nVisium, added that in a world of ever-increasing privacy concerns, XS-Leaks illustrate why the security world has a long way to go. Keffeler said XS-Leaks highlight many of the same concerns that security experts have raised for years: Default settings can get organizations into big trouble. Keffeler said many of the mitigation methods listed for XS-Leaks require that security teams properly configure SameSite cookies, as well as set proper security headers such as Cross-Origin-Resource-Policy (CORP) and X-Frame-Options (XFO).
“Let it be known that these security recommendations are not new, but the lack of consistency across browsers is cause for concern — and perhaps the most dangerous part of this type of vulnerability,” Keffeler said. “With the rise of the cloud in recent years, and companies moving at an increasingly accelerated pace to deliver key products to their customers, these vulnerabilities give pause for concern — and should be considered a No. 1 priority in the protection of customer information.”
