Wednesday, March 11, 2015

Malware that leaves Web Fonts behind?

I thought the SANS Podcast from 2/24/2015 by Johannes Ullrich was interesting. In the Podcast he mentioned Google Webfonts being used by Google to track user activity. Which I believe then led to this great Diary on 11 Ways To Track Your Moves When Using a Web Browser.

So traditionally when you think of evil corporations and the NSA trying to watch you, track you, etc. you probably think of things like cookies, your user-agent, and your IP address, right? So you try to prevent them from tracking you probably with things like in-cognito or private mode, or using a proxy / Tor browser, right?

Would you have also considered that Web Fonts can be used in the same way? They are essentially being used by Google as tracking cookies. They are generating a new unique font name for each user and thus they know that if the web font is already cached locally in your browser cache, then they have seen you before and know you're the same user. A little concerning from a privacy perspective!

And there is nothing stopping malware and other malicious content on the websites you're visiting from doing the same thing. It's known that many pieces of malware will drop a cookie and use it to make sure it only runs the malicious content once on that user. It's pretty simple to swap out the cookie and instead have the malware drop a google web font into cache and use it as the indicator. So intrusion detection and other security related software might need to look in the other crevaces of your browser (Cookies, Web Fonts, Flash Cookies, HTML5 Local Storage, etc.)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment