In this paper we show that HSTS headers and long-term cookies (like those used for user tracking) are so prevailing that they allow a malicious Wi-Fi operator to gain significant knowledge about the past browsing history of users. We demonstrate how to combine both into a history stealing attack by including specially crafted references into a captive portal or by injecting them into legitimate HTTP traffic. Captive portals are used on many Wi-Fi Internet hotspots to display the user a message, like a login page or an acceptable use policy before they are connected to the Internet. They are typically found in public places such as airports, train stations, or restaurants. Such systems have been known to be troublesome for many reasons. In this paper we show how a malicious operator can not only gain knowledge about the current Internet session, but also about the user's past. By invisibly placing vast amounts of specially crafted references into these portal pages, we can lure the browser into revealing a user's browsing history by either reading stored persistent (long-term) cookies or evaluating responses for previously set HSTS headers. An occurrence of a persistent cookie, as well as a direct call to the pages' HTTPS site is a reliable sign of the user having visited this site earlier. Thus, this technique allows for a site-based history stealing, similar to the famous link-color history attacks. For the Alexa Top 1,000 sites, between 82% and 92% of sites are effected as they use persistent cookies over HTTP. For the Alexa Top 200,000 we determined the number of vulnerable sites between 59% and 86%. We extended our implementation of this attack by other privacy-invading attacks that enrich the collected data with additional personal information.
[1]
Mauro Conti,et al.
AppScanner: Automatic Fingerprinting of Smartphone Apps from Encrypted Network Traffic
,
2016,
2016 IEEE European Symposium on Security and Privacy (EuroS&P).
[2]
Dawn Xiaodong Song,et al.
NetworkProfiler: Towards automatic fingerprinting of Android apps
,
2013,
2013 Proceedings IEEE INFOCOM.
[3]
可児 潤也.
「"Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones」の報告
,
2013
.
[4]
David M. Kristol,et al.
HTTP State Management Mechanism
,
1997,
RFC.
[5]
Jeff Hodges,et al.
HTTP Strict Transport Security (HSTS)
,
2012,
RFC.
[6]
Jong Kim,et al.
Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities
,
2014,
2014 IEEE Symposium on Security and Privacy.
[7]
Thomas Engel,et al.
Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11
,
2014,
Q2SWinet '14.
[8]
Christian Platzer,et al.
A View to a Kill: WebView Exploitation
,
2013,
LEET.
[9]
Adam Barth,et al.
HTTP State Management Mechanism
,
2011,
RFC.
[10]
Christopher Krügel,et al.
A Practical Attack to De-anonymize Social Network Users
,
2010,
2010 IEEE Symposium on Security and Privacy.
[11]
Roy T. Fielding,et al.
Hypertext Transfer Protocol - HTTP/1.1
,
1997,
RFC.
[12]
Sorin Lerner,et al.
An empirical study of privacy-violating information flows in JavaScript web applications
,
2010,
CCS '10.