快猫短视频

Website delay provides bait for ‘phishers’

The time it takes web browsers to respond to access attempts using your email address can tell fraudsters if you shop at that site

The time it takes web pages to respond to spurious access attempts made using your email address or browser can tell fraudsters whether you shop at that site, or even reveal details about your email contents.

Timing tricks on the web are not new. In 2000 cryptographers at Princeton University demonstrated that the time taken by your browser to query a website could reveal to hackers whether you have previously visited that site. But now it appears that far more personal data can be gleaned by measuring how quickly web pages respond to various queries, says Andrew Bortz who discovered the vulnerability along with his supervisor Dan Boneh.

Bortz found that websites that use people鈥檚 email addresses as their login, such as Amazon, can be interrogated by entering trial email addresses into their login page. A made-up password is entered alongside the user email, so the attempt creates an error message. Bortz found that it takes up to 10 milliseconds longer for this message to appear if the user has an account with the site than if they don鈥檛, as the site only checks the password if the email address is registered there. 鈥淛ust about every site we tested is vulnerable to this,鈥 he says.

Bortz believes fraudsters may already be exploiting this to find out which online stores people use, in order to send them personalised 鈥減hishing鈥 emails purporting to come from those sites. Spammers could also use the trick to see which email addresses they hold are valid.

What鈥檚 more, Bortz has found that a browser can be tricked into carrying out a more sophisticated attack on a hacker鈥檚 behalf. The user must first be duped into clicking on a link to a malicious web page, by the promise of a video clip for example. Buried in the code that tells the browser how to display the page would be another link, perhaps to a web mail site, say, which it would be instructed to query. If the user has an account there, their browser will already have 鈥渃ookie鈥 files that allow it to automatically query personal pages such as their email inbox. The time it takes the page to respond to these queries will reveal how many emails are in the user鈥檚 inbox, say.

In the same way, an attacker could find out how many times a particular word appears in their emails, by simply instructing the browser to query the search term. This could identify them as an employee of a company or flag their personal interests. 鈥淓very bit of information about users provides a potential hook for an attacker,鈥 says Avi Rubin, a security researcher at Johns Hopkins University in Baltimore, Maryland.