Browser Attacks

Options for Browsers

While I recommend the Tails operating system for sensitive web browsing and communication, it is a painful experience to use Tor for all internet communications. For regular desktop use, I recommend the Brave Browser.

Brave Browser does have an option to open a private window with Tor in case you want to use it for something where you want to elevate your security somewhat without starting up Tails, but some things should only be done on Tails.

Browser Specific Attacks

The following attacks are for the most part specific to web browsers.

Query String Links

Anything after and including a question mark ? in a link is called a query string.

When sharing a link, it is generally a good idea to remove the query string first. Everything after the question mark is called a query string. Query strings can sometimes contain an ID that would then correlate you with anyone else who clicks that link.

The reverse is also a threat, you should clean the query string on any links that you receive before opening them. We'll cover more devious query string attacks later, but you're more likely to run into query strings with advertising ids.

Some query strings may include legitimate data such as the time to start a Youtube video. t=1 means to start the Youtube video at the one second mark instead of at the beginning, such as: https://youtu.be/dQw4w9WgXcQ?t=1

Advertising/Cookie Tracking

Advertising data collection is prolific on the internet. The standard way of tracking you is through cookies. Cookies are shared piece of data that can be set so that only that website can see that cookie, or only certain other websites can see that cookie. An ad can create a cookie for you on one website that can be read by other ads on many other websites. Thus correlating your web usage on multiple websites together.

If you don't use Brave browser, you can manually clear your cookies from time to time. But Firefox and Chrome also has an extension "uBlock Origin" you can install. This will prevent some ads from loading at all. It doesn't catch every ad and tracking code in a webpage, but it reduces the sheer number of them and speeds up your web browser by not having to load so much code.

Don't use uBlock origin or any other browser extension on Tor Browser. Browser extensions can have malicious code in them so best practice is that your Tor Browser and Tails system should have no additional code whatsoever.

You can also set your Firefox or Chrome browser to send a "Do Not Track" signal to website. This does next to nothing, but it could help. Both Chrome and Firefox have search features in the setting page where you can find this setting.

Advertising/Browser Identity

It's also possible to detect what browser and operating system you are using. This is a broad identification in many cases but if you have a weird setup such as Konqueror on Arch Linux, that can put you in a small bucket with only a few other users.

There is also a sneaky way the advertisers can track you by detecting what GPU you are using. This attack is called "canvas fingerprinting" as it uses the "canvas" feature of HTML5.

Brave Browser has mitigations on browser identification, as does Tor Browser and Tails.

Advertising/IP Tracking

Cookies aren't the only way to track a web browser. Connecting to two websites from the same location can also be used to correlate your web usage across websites. I discussed this earlier in "Metadata Attacks".

Advertising/Clipboard Attack

One time I had a video on Youtube playing while I copied some text written in Spanish into Google to translate it. And Youtube starting playing a Spanish ad instead of an English one.

If you use a browser in a VM with shared clipboard off, the Host machine and other VMs will not have your clipboard. Otherwise, keep your clipboard clear while using a browser, and have as few tabs open as possible.

Yes you know who you are with 50 tabs open at all times. Stop it, get help.

XSS Attacks

Cross site scripting (XSS) attacks can be devious, and a bit harder to explain than most of the other attack vectors.

Stored XSS attacks can be found on some online forums where the forum software doesn't properly contain user input. A malicious user of the forum can put Javascript code directly in his post that will then execute on anyone's browser who views that page containing the post. You don't even have to scroll to that post for the code to execute.

That code might be contained in the browser, but can still steal advertising cookies and other sensitive information from your browser even though they did not create the forum or website that you are on.

Many browsers allow you to block scripts, but keep in mind this can sometimes reduce or break the functionality of a webpage.

Most large social media platforms such as Twitter have this locked down by cleaning user data. You'd be hard pressed to find a way to run Javascript on Twitter by writing a tweet. This attack vector is less common now, but be wary of this attack vector on old forums and websites.

Reflected XSS attacks can be done by sending you a malicious link by other communications. For example, you receive an email suggesting you look at a post on Facebook, but the link doesn't actually go to a post. Instead that query string could look something like: twitter.com/createpost?message=Gotcha

This is a fake example but should give you an idea on what can happen. Depending on how much the website depends on query strings, it could go as bad as sending something you didn't mean too, or resetting a password, down to not much at all. PHP, ASP and other websites with older programming are generally more vulnerable to this attack.

Remember to clean your query strings!

Phishing Attacks

This one is particularly dangerous.

A phishing attack is a trick played on you to give up personal information such as 2 factor authentication codes or other sensitive information. Generally this is done by pretending to be someone at company that you use. This could be an entire thread by itself. But the general rule is not to give information to someone who called you. If you call or setup an account at a company then you generally have to give your information, but there is no way to verify that the person who called you unsolicited is in fact an employee at your bank.

I will give you a devious example. Some dude, we'll call him Bob got a text on this phone from Eve, who previously owned that phone number had accidentally left 2 factor authentication active on an account. So Eve needs the 2 factor authentication code from Bob's new phone number so that Eve can remove 2 factor authentication from her account. Bob gave the go ahead and told Eve the 2 factor authentication code. Now Eve has access to Bob's banking account, as she had used the "Forgot my Password" feature of the bank account, and only needed that 2 factor authentication code to take over the account.

Do not give 2 factor authentication codes to people who contact you. If you get a 2 factor authentication code texted to your phone but you did not try to login or otherwise needed a 2 factor authentication code at that moment, then someone is trying to access your account.

One other example, if someone tries to get you to open the "Developer Tools" or "Console" on your browser and asks you to copy and paste some code in, that is likely a phishing attack to steal your login information.

SSL Forgery and Website Spoofing

This is related to phishing attacks. If you go to your banking website such as bankofamerica.com and you see a closed or green lock next to the website name. You are probably secure. However, there are two things to be wary of.

The first attack is similar but not exact domain names. If you click a link from a sketchy source and it redirects you to bankofamerlca.com, you might miss that the i is replaced with an l in the link. You are in fact not on your banking website, but rather a website that is spoofed to look legitimate. It may look like a legitimate website with a similar name, but it is not. These types of attacks are sophisticated enough that when you enter in your username and password, it will attempt to login to the real website automatically itself, and see that a 2 factor authentication code is required. When you enter in your 2 factor authentication code, the fake website will then have access to your account. In some cases you can interact with your account normally through the fake website and do everything you would usually do. But when you logout the fake website doesn't log you out and can now do things to your account while you are gone. Don't click links to your banking website, ever. Either type it out or use the link in your password manager that you've saved previously.

The second attack can happen even if the website is in fact correctly typed and has a green lock. This is a rare attack called SSL Forgery where the lock appears green and valid, but the encryption to the website is in fact using a forged encryption certificate. This generally requires a hack of certification authorities. In the past when those have happened and we've detected it, then an update gets pushed out that removed the forged certificates. Those are however only the ones that we know of. This is rare but it can happen. Not much can be done with those, but if a website appears buggy or not fully functioning even though the lock is green it might be a fake website. Similar to the website spoofing above. This is not as common as Website Spoofing with similar domain names, fortunately.