Experience the ultimate flexibility with the Isolation API, allowing you to securely Quisque pellentesque id ultrices lacus ornare elit vitae ullamcorper. Learn More

Did you know? Attackers use  your locally installed browser base and JavaScript to draw up intricate exploit roadmaps for targeted attacks on your organization. Listen to our interview with security researcher Michael Schwarz to learn how JavaScript template attacks work and how to prevent them.

“Free” browsers boast features and extensions that supposedly enhance security and privacy online. The same settings or plugins, it turns out, can be used by adversaries to achieve precisely the opposite effect.

That’s just one of the eye-opening findings reported in the research paper JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits.

The paper was authored by security researchers Michael Schwarz, Florian Lackner and Daniel Gruss of Graz University in Austria. They describe how JavaScript template attacks help attackers prepare pinpointed zero-day or side-channel attacks against large organizations, by exploiting the ubiquitous data leaks in “free” browsers and their extensions.

 

The researchers found an abundance of environment-dependent properties in Firefox, Chrome, Edge, and mobile Tor which allowed them to reveal the underlying operating system, CPU architecture, used privacy-enhancing plugins, and exact browser version. “As a result,” they summarize their findings, “we cannot only ease the creation of fingerprints, but we gain the advantage of having a more precise picture for targeted exploitation.”

For our podcast series The Silo Sessions, Gerd Meissner and Amir Khashayar Mohammadi asked Michael Schwarz, the lead researcher of the paper: How do JavaScript template attacks work, and what do they mean for browser security as a whole?

Listen to the interview here:

The Silo Sessions on YouTube: JavaScript Template Attacks

About the Author

A8 Team
A8 Team
Contribution Team U.S.A.

Authentic8 Team is a group of cybersecurity enthusiasts, investigation sleuths, top-notch engineers, news junkies, policy wonks and all-around fervent writers hell-bent on bringing you the best darn blog in the industry. 

Close
Close