The finding comes from the University of Illinois at Chicago, where computer scientists have discovered various browser functionalities that rarely used or needed by websites that present substantial security and privacy risks to web surfers, both business and private. The researchers state that blocking website access to such unnecessary browser functionality would significantly help to reduce these potential risks.
The vulnerabilities reflect the pace at which Internet and connected technology is evolving. Modern website browsers contain a vast range of features, with more capabilities added every week. Many of these additional functions are, however, rarely used and it is these which pose a security risk.
In research led by Peter Snyder a systematic study of costs and benefits associated with websites having access to 74 different types of functionality (the web application programming interface) has been undertaken. For this Synder’s research group calculated how frequently each of these features was used across websites. They then assessed the probability that each was to pose a risk to security or privacy.
The assessment found that features with a low benefit to users, but which posed a high security risk, need to be blocked in order to improve cybersecurity. With the study, Firefox was used as the test browser.
Speaking to his university’s website, Synder explains further: “For example, browsers allow websites to perform low-level graphics calculations. We found that this functionality is rarely used on honest websites, but that malicious sites can use it to harm users’ privacy and security.”
Allowing all websites to access this feature is “a bad cost-benefit trade-off,” Snyder adds. Other examples flagged as being of a particularly high risk are a code that lets browsers detect light levels in a room; a function that performs fine-grained timing operations; and another that carries out advanced audio synthesis operations.
Synder presented his findings to the Computing Machinery Conference on Computer and Communications Security, which took place in Dallas at the end of October 2017.