Information disclosure via the High Resolution Time API
- September 22, 2015
- Yossef Oren et al, Amit Klein
- Firefox, Firefox OS, SeaMonkey
- Fixed in
- Firefox 41
- Firefox OS 2.5
- SeaMonkey 2.38
Security researchers Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan,
Angelos D. Keromytis of Columbia University's Network Security Lab reported a
method of using the High Resolution Time API for side channel attacks. This attack uses
cache over a period of time as a user engages in other browser activity. This attack takes
advantage of the
performance.now() API's use of single nanosecond resolution
Security researcher Amit Klein independently reported use of the
performance.now() API on Windows systems to extract the Windows counter
frequency as an avenue for side channel attacks.
Both of these flaws allow for the disclosure of private information, user
fingerprinting, and data leakage. They have been addressed by reducing the resolution of
performance.now() API to 5 microseconds to remove the precision in
resolution available to attackers.
The Windows counter frequency issue does not affect Linux or OS X systems.