Zoonop

Major Browsers Address 2020 Web Standard Vulnerabilities to Prevent Covert User Tracking

Image for Major Browsers Address 2020 Web Standard Vulnerabilities to Prevent Covert User Tracking

Web browsers have significantly enhanced user privacy protections by addressing a class of vulnerabilities that could have allowed covert tracking without explicit user consent. The fixes, largely implemented in 2020, stemmed from the collaborative efforts of privacy researchers and web standards bodies. Brendan Eich, CEO and co-founder of Brave Software, highlighted this development in a recent social media post, acknowledging Peter Snyder's pivotal role in pushing for these changes.

The vulnerabilities, often referred to as "pool-party" attacks, exploited "limited-but-unpartitioned resource pools" within browsers, such as WebSockets, Server-Sent Events, and Web Workers. These subtle side channels allowed websites to communicate with each other in unintended ways, creating mechanisms for cross-site tracking. In some cases, particularly with Gecko-based browsers like Firefox and Tor Browser, these attacks could even link user behavior across private and standard browsing sessions.

Peter Snyder, a senior privacy researcher at Brave and co-chair of the W3C Privacy Interest Group (PING), was instrumental in identifying and advocating for the resolution of these issues. His research, including the "Pool-Party" paper, detailed how these covert channels could be used for web tracking. Snyder's work at Brave consistently emphasizes a privacy-first approach, as seen in his joint statements with Eich against privacy-invasive technologies like Google's FLoC.

The identified flaws prompted major browser vendors to implement critical updates. While Brave and Safari were noted for releasing early fixes for WebSocket and SSE vulnerabilities, Google and Mozilla also committed to addressing these issues through comprehensive browser-wide changes and updates to Web standards. This coordinated effort underscores a growing industry commitment to strengthening user privacy on the web platform.

The W3C, through its PING group, plays a crucial role in scrutinizing new web features for potential privacy and security risks, providing guidance for specification authors. The resolution of these "info leak" vulnerabilities, as described by Eich, represents a significant step forward in ensuring that web technologies prioritize user privacy by design. As Brendan Eich stated in his tweet, acknowledging the work:

"Again, no info leak without user granting permission, thanks to @pes10k who did a lot of awesome pushing to get this API to stop leaking back in 2019. See: [links] Main fix in w3c standards and Chrome came in 2020."

This collective action reinforces the principle that user data should not be accessible without explicit consent, marking a notable improvement in the security and privacy landscape of the modern web.