Paul Stone

The attacker wants to know the appearance of another website.

Many websites allow themselves to be placed inside other websites with what is called an iframe (this is the default behavior, so it is very common for sites to be framed). For those websites that allow themselves to be framed, the Same Origin Policy makes it so that any programmatic access from one page to the other is disallowed, while still allowing the website to be displayed. That said, the parent page still has some control over the site it's framing, in specific, the way it looks. For instance, if a website frames another website, the parent website can apply some filters and change the colors of the inner site and apply some transformations, however, it's not supposed to be able to know their content.

An attacker, however, can measure how long it takes the browser to apply these filters. It is obvious that some filters will take longer to apply than others. For example, if you try to apply a shadow on a black square, there's little work to be done for the browser because it's all black already, compared to applying a shadow to a black circle inside a white square, since in that case it needs to calculate how to apply the shade. What an attacker can then do, is zoom in on a specific pixel on the site being attacked, and then try to apply some filters and measure how long they take to load. By comparing the time the filters take, an attacker can know whether a pixel is completely black or not (since some filters run a lot faster in black pixels, vs. white pixels). The attacker can then reconstruct the third-party site pixel by pixel.
About In Security Bugs Gallery you will find drawings of different stories inspired by software security vulnerabilities.
Creative Commons License