Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users

Authors: Vikas Mishra (Inria, Univ. Lille), Pierre Laperdrix (Univ. Lille, CNRS, Inria), Walter Rudametkin (Univ. Lille, Inria), Romain Rouvoy (Univ. Lille, Inria, IUF)

Volume: 2021
Issue: 2
Pages: 391–406
DOI: https://doi.org/10.2478/popets-2021-0033


Download PDF

Abstract: Many browser cache attacks have been proposed in the literature to sniff the user’s browsing history. All of them rely on specific time measurements to infer if a resource is in the cache or not. Unlike the stateof-the-art, this paper reports on a novel cache-based attack that is not a timing attack but that abuses the HTTP cache-control and expires headers to extract the exact date and time when a resource was cached by the browser. The privacy implications are serious as this information can not only be utilized to detect if a website was visited by the user but it can also help build a timeline of the user’s visits. This goes beyond traditional history sniffing attacks as we can observe patterns of visit and model user’s behavior on the web. To evaluate the impact of our attack, we tested it on all major browsers and found that all of them, except the ones based on WebKit, are vulnerable to it. Since our attack requires specific HTTP headers to be present, we also crawled the Tranco Top 100K websites and identified 12, 970 of them can be detected with our approach. Among them, 1, 910 deliver resources that have expiry dates greater than 100 days, enabling long-term user tracking. Finally, we discuss possible defenses at both the browser and standard levels to prevent users from being tracked.

Keywords: web tracking, web privacy, browser cache

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.