Browser-based Timing Attacks

This page provides a few proof-of-concept attacks against popular and widely used websites. If you are interested in knowing the technical details of these attacks, check out my blog post on browser-based timing attacks. To the privacy conscious: all attacks are performed in JavaScript, the values are merely displayed in your browser and not captured (or at least not by me).

Determine login status

This attack uses the Resource Timing API to determine whether a redirect was followed (in which case the fetchStart attribute will be at the start of the redirection instead of the initial request).


Determine victim gender using Facebook posts

This attack requires you to be logged in to Facebook!
Also, third-party cookies should be enabled (the unfortunate default in every browser)

As a preparation of this attack, two Facebook posts were created. The first post is only visible to male Facebook users, the other post is only visible to female Facebook users.

The response size of the returned resources depends on their visibility, which in turn depends on your gender. A visible post will have a larger response size (approx 110kB vs 40kB). By using a browser-based timing attack, this page (or any other one for that matter) can discover your gender. Click the button below to give it a try!


Did the attack provide you with the wrong result? The script that powers this proof-of-concept is rather simplistic. Many improvements should be made before you put this script in a production environment. This particular attack measures the time it takes to write content to the disk, so any concurrent IO operations may influence the attack.

Determine your political preference based on Twitter followers

This attack requires you to be logged in to Twitter!
Also, third-party cookies should be enabled (the unfortunate default in every browser)

This attack will try to determine your favorite US presidential candidate. For this, I make the naive assumption that if you follow more people that follow @realDonaldTrump, you are rooting for Donald Trump. Of course the same goes for Hillary Clinton. This is done by estimating the size of the {realDonaldTrump,HillaryClinton}/followers_you_follow endpoints using a browser-based timing attack. On Chrome and Opera, the video-parsing attack is used, on other browsers this particular attack may not work, so here the same cache storage attack as above is used.


Determine victim age using Facebook posts

Coming soon... In the meanwhile, take a look at the demo I gave at AppSec EU.

Other attacks

Check out our paper (section 4) for a number of other potential targets.