
A timing attack with CSS selectors and JavaScript - mhasbini
https://blog.sheddow.xyz/css-timing-attack/
======
throwaway2016a
> Have you ever encountered a website that runs jQuery(location.hash)?

No. Actually I have never seen a website do that. What sites do that? What is
the actual use of grabbing an element that has an ID that matches the URL
hash?

And this attack will only work on those sites.

This is just one more variation of the best practice: don't trust user/client
supplied data.

Edit: Though academically I actually find how this was implemented to be
really interesting. I'm just not sure what uses it would have in the wild.

~~~
Guest9812398
I use it for linking to comments on my site. Users can copy a link to a
particular comment, and the link directs people to the appropriate topic and
location on the page.

I'm assuming that using X-Frame-Options to prevent the page from appearing in
a frame prevents this type of attack.

~~~
masklinn
> I use it for linking to comments on my site. Users can copy a link to a
> particular comment, and the link directs people to the appropriate topic and
> location on the page.

That works out of the box, it's a native HTML/browser feature.

Why do you pass location.hash to jQuery?

~~~
Guest9812398
Oh, my mistake, it's been a while since I wrote the code. I use it to style
the linked comment. So, the browser automatically scrolls to the appropriate
location, and then jQuery adds a style to that comment so the user can easily
locate it, or refind it if they scroll up and down the page.

~~~
minitech
In modern browsers, you can sometimes achieve this effect with `:target`.
([https://developer.mozilla.org/en-
US/docs/Web/CSS/:target](https://developer.mozilla.org/en-
US/docs/Web/CSS/:target))

------
driverdan
I don't understand the point of this. What elements will a timing attack work
against that you can't read the value from directly? I didn't notice any
discussion of this in the article.

Edit: I see how this works. It will allow you to exfiltrate data from 3rd
party websites that pass the URL hash into jQuery. An interesting idea but
limited in scope.

~~~
Novashi
I still don't get it.

How are you getting a successful request and a page render for the 3rd party
site, but not able to query the 3rd party DOM?

If you phished someone, there's probably better things you can do to lead to a
fuller compromise.

~~~
shawnz
It's described right in the article: embed the victim page in an iframe.
Because of the same-origin policy you shouldn't be able to access its DOM, but
with this trick, you can.

~~~
astura
Shouldn't X-Frame-Options header fix this?

~~~
shawnz
Assuming you don't want your page to be embedded, sure. But what if you do?

~~~
astura
True, but that's rather uncommon nowadays.

------
EastSmith
Cool hack.

May be it is time for browsers to disable iframes by default and ask the end
user if they want to run them via the standard browser confirmation mechanisms
site by site.

~~~
JustThrowMeAway
Sites can already send an 'X-Frame-Options: deny' header to prevent being
framed.

~~~
lol768
Or use CSPv2's frame-ancestors.

------
detaro
I would have thought Chrome's site isolation would prevent this. Not enabled
in the author's chromium build, or not helping for some reason?

~~~
pygy_
Chrome isolation is partial. Several unrelated tabs can share the same
process.

~~~
gsnedders
"Site Isolation" is the name of a specific feature. As of Chrome 67, Site
Isolation is enabled by default on desktop, so only tabs from the same
(scheme, eTLD+1) can share processes, and cross-origin iframes are moved out-
of-process based on the same rule.

See [https://security.googleblog.com/2018/07/mitigating-
spectre-w...](https://security.googleblog.com/2018/07/mitigating-spectre-with-
site-isolation.html)

------
otriv
This is a good time to shill NoScript. If your browser runs JavaScript
automatically, then you are putting your privacy and safety at risk.

------
SimeVidas
Why does the RSS link on that website link to feedly.com instead of the feed
directly? Weird.

~~~
dotancohen
Metrics collection.

~~~
SimeVidas
Could you elaborate?

~~~
craftyguy
Probably something like this: [https://blog.feedly.com/sort-by-
popularity/](https://blog.feedly.com/sort-by-popularity/)

