Google: These new data-leaking website attacks are a growing menace

Google publishes XS-Leaks to encourage research into the difficult-to-solve problem of cross-site leaks of user information.
Written by Liam Tung, Contributing Writer

Google has set up a new site to track cross-site leaks, warning that these types of flaw are being used by some sites to steal information about the user or their data in other web applications. 

The new wiki includes information about the principles behind cross-site leaks, common attacks, and proposes defense mechanisms to stop these attacks. 

"Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses," Google said.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The wiki explains that XSLeaks "are a class of vulnerabilities derived from side-channels built into the web platform."

"They take advantage of the web's core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user," the wiki explains.

"The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to."

While such vulnerabilities are not generally viewed as serious flaws, they're also very common and can be used as a launchpad for more complex and harmful attacks.

Google has been working on XSS vulnerabilities with external security researchers since 2010 via its bug bounty for Google websites including Google and YouTube. Google used to have a feature in Chrome called XSS Auditor that scanned a website's source code for signs of cross-site scripting attacks on a user's browser. However it removed XSS Auditor last year after finding it introduced too many XS leaks itself

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

The wiki goes through types of attacks offers an overview of security features that can thwart or mitigate it.

It also details how web browser developers can adopt new browser security features such as Fetch Metadata Request Headers sent by browsers with HTTPS requests to provide context about how a request was initiated. This allows applications to make more informed decision about how to respond to them.  

Other defenses include Cross-Origin Opener Policy, Cross-Origin Resource Policy, and SameSite cookies.

Editorial standards