Skip to Main content Skip to Navigation
Conference papers

Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users

Vikas Mishra 1 Pierre Laperdrix 1 Walter Rudametkin 1 Romain Rouvoy 1, 2
1 SPIRALS - Self-adaptation for distributed services and large software systems
Inria Lille - Nord Europe, CRIStAL - Centre de Recherche en Informatique, Signal et Automatique de Lille (CRIStAL) - UMR 9189
Abstract : Many browser cache attacks have been proposed in the literature to sniff the user's browsing history. All of them rely on specific time measurements to infer if a resource is in the cache or not. Unlike the state-of-the-art, this paper reports on a novel cache-based attack that is not a timing attack but that abuses the HTTP cache-control and expires headers to extract the exact date and time when a resource was cached by the browser. The privacy implications are serious as this information can not only be utilized to detect if a website was visited by the user but it can also help build a timeline of the user's visits. This goes beyond traditional history sniffing attacks as we can observe patterns of visit and model user's behavior on the web. To evaluate the impact of our attack, we tested it on all major browsers and found that all of them, except the ones based on WebKit, are vulnerable to it. Since our attack requires specific HTTP headers to be present, we also crawled the Tranco Top 100K websites and identified 12,970 of them can be detected with our approach. Among them, 1,910 deliver resources that have expiry dates greater than 100 days, enabling long-term user tracking. Finally, we discuss possible defenses at both the browser and standard levels to prevent users from being tracked.
Document type :
Conference papers
Complete list of metadatas

https://hal.inria.fr/hal-03017222
Contributor : Romain Rouvoy <>
Submitted on : Friday, November 20, 2020 - 5:43:29 PM
Last modification on : Friday, November 27, 2020 - 2:20:11 PM

Identifiers

  • HAL Id : hal-03017222, version 1

Citation

Vikas Mishra, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy. Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users. International Symposium on Privacy Enhancing Technologies (PoPETS), Jul 2021, Internet, France. ⟨hal-03017222⟩

Share

Metrics

Record views

60