Pool-Party: Exploiting Browser Resource Pools as Side-Channels for Web Tracking

TL;DR

This paper uncovers and demonstrates the practicality of 'pool-party' browser side-channel attacks that exploit resource pools to enable cross-site tracking and user identification across popular browsers, including privacy-sensitive ones like Tor.

Contribution

It introduces pool-party covert channel attacks exploiting resource pools, demonstrates their effectiveness across browsers, and discusses potential mitigation strategies.

Findings

Pool-party attacks are prevalent in all popular browsers.

Attacks can pass cookies and identifiers across site boundaries.

Practical attack times: 0.6s in Chrome/Edge, 7s in Firefox/Tor.

Abstract

We identify class of covert channels in browsers that are not mitigated by current defenses, which we call "pool-party" attacks. Pool-party attacks allow sites to create covert channels by manipulating limited-but-unpartitioned resource pools. These class of attacks have been known, but in this work we show that they are both more prevalent, more practical for exploitation, and allow exploitation in more ways, than previously identified. These covert channels have sufficient bandwidth to pass cookies and identifiers across site boundaries under practical and real-world conditions. We identify pool-party attacks in all popular browsers, and show they are practical cross-site tracking techniques (i.e., attacks take 0.6s in Chrome and Edge, and 7s in Firefox and Tor Browser). In this paper we make the following contributions: first, we describe pool-party covert channel attacks that exploit limits in application-layer resource pools in browsers. Second, we demonstrate that pool-party attacks are practical, and can be used to track users in all popular browsers; we also share open source implementations of the attack and evaluate them through a representative web crawl. Third, we show that in Gecko based-browsers (including the Tor Browser) pool-party attacks can also be used for cross-profile tracking (e.g., linking user behavior across normal and private browsing sessions). Finally, we discuss possible mitigation strategies and defenses