@inproceedings{ae1247331db3435c81ad4eda05228bd7,
title = "Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome",
abstract = "Web privacy is challenged by pixel-stealing attacks, which allow attackers to extract content from embedded iframes and to detect visited links. To protect against multiple pixel-stealing attacks that exploited timing variations in SVG filters, browser vendors repeatedly adapted their implementations to eliminate timing variations. In this work we demonstrate that past efforts are still not sufficient. We show how web-based attackers can mount cache-based side-channel attacks to monitor data-dependent memory accesses in filter rendering functions. We identify conditions under which browsers elect the non-default CPU implementation of SVG filters, and develop techniques for achieving access to the high-resolution timers required for cache attacks. We then develop efficient techniques to use the pixel-stealing attack for text recovery from embedded pages and to achieve high-speed history sniffing. To the best of our knowledge, our attack is the first to leak multiple bits per screen refresh, achieving an overall rate of 267 bits per second.",
author = "Sioli O'Connell and Sour, {Lishay Aben} and Ron Magen and Daniel Genkin and Yossi Oren and Hovav Shacham and Yuval Yarom",
note = "Publisher Copyright: {\textcopyright} USENIX Security Symposium 2024.All rights reserved.; 33rd USENIX Security Symposium, USENIX Security 2024 ; Conference date: 14-08-2024 Through 16-08-2024",
year = "2024",
month = jan,
day = "1",
language = "English",
series = "Proceedings of the 33rd USENIX Security Symposium",
publisher = "USENIX Association",
pages = "3331--3348",
booktitle = "Proceedings of the 33rd USENIX Security Symposium",
}