Browser history re:visited


Michael Smith, Craig Disselkoen, and Shravan Narayan, UC San Diego; Fraser Brown, Stanford University; Deian Stefan, UC San Diego


We present four new history sniffing attacks. Our attacks fit into two classical categories—visited-link attacks and cache-based attacks—but abuse new, modern browser features (e.g., the CSS Paint API and JavaScript bytecode cache) that do not account for privacy when handling cross-origin URL data. We evaluate the attacks against four major browsers (Chrome, Firefox, Edge, and IE) and several security-focused browsers (ChromeZero, Brave, FuzzyFox, DeterFox, and the Tor Browser). Two of our attacks are effective against all but the Tor Browser, whereas the other two target features specific to Chromium-derived browsers. Moreover, one of our visited-link attacks (CVE-2018-6137) can exfiltrate history at a rate of 3,000 URLs per second, an exfiltration rate that previously led browser vendors to break backwards compatibility in favor of privacy. We hope that this work will lead browser vendors to further reconsider the design of browser features that handle privacy-sensitive data.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220594,
author = {Michael Smith and Craig Disselkoen and Shravan Narayan and Fraser Brown and Deian Stefan},
title = {Browser history {re:visited}},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {USENIX Association},
month = aug