Cache Bank Conflicts & CacheBleed: A Simple Guide

TL;DR

Recent discoveries (CacheBank and CacheBleed) show vulnerabilities in how web browsers handle caching. These can potentially allow attackers to steal information from your browser, but the risk is relatively low for most users if you keep your browser updated. Here’s what you need to know and do.

What are Cache Bank Conflicts?

CacheBank conflicts happen when a website stores data in your browser’s cache, and that data gets mixed up with data from other websites. This can lead to sensitive information (like login details or personal preferences) being incorrectly shared between sites.

What is CacheBleed?

CacheBleed is a more serious vulnerability where attackers can potentially read data stored in the browser cache that they shouldn’t be able to access. It exploits how browsers handle HTTP caching headers and redirects.

How do these vulnerabilities work?

1. HTTP Caching: Browsers store copies of website resources (images, scripts, etc.) locally to speed up loading times.
2. Cache Keys: Each resource is stored with a unique ‘key’ that identifies it. This key usually includes the URL and other HTTP headers.
3. Conflicts & Bleeds: CacheBank happens when keys collide (two different URLs create the same key). CacheBleed exploits weaknesses in how redirects are handled, allowing attackers to craft requests that reveal cached data from other sites.

What’s the risk?

• Information Leakage: Attackers could potentially steal cookies, login tokens, or other sensitive information stored in your browser cache.
• Cross-Site Scripting (XSS): In some cases, these vulnerabilities can be combined with XSS attacks to compromise your account.
• Privacy Concerns: Your browsing activity could be tracked more easily.

The risk is higher if you frequently visit websites that have security flaws or use shared hosting environments.

How can I protect myself?

1. Keep your browser updated: This is the most important step. Browser developers are constantly releasing patches to fix vulnerabilities like CacheBank and CacheBleed. Make sure you’re running the latest version of Chrome, Firefox, Safari, Edge or any other browser you use.

   To update Chrome:

   Settings > About Chrome > Chrome will automatically check for updates

   To update Firefox:

   Menu > Help > About Firefox > Firefox will automatically check for updates

2. Use a strong password manager: A good password manager can help protect your accounts even if your browser cache is compromised.
3. Enable ‘Site Isolation’ (if available): Some browsers offer features like Site Isolation, which helps prevent cross-site data sharing. Chrome has this enabled by default.

   Check in chrome://flags/#enable-site-isolation

4. Clear your browser cache regularly: While not a complete solution, clearing your cache can remove potentially compromised data.

In Chrome:

Settings > Privacy and security > Clear browsing data > Select 'Cached images and files' > Click 'Clear data'

5. Use privacy-focused browser extensions: Extensions like Privacy Badger or uBlock Origin can help block trackers and malicious scripts.
6. Be cautious about visiting untrusted websites: Avoid clicking on suspicious links or downloading files from unknown sources.

What are website owners doing?

Website developers are implementing changes to their servers and code to prevent CacheBank conflicts and mitigate the risk of CacheBleed attacks. This includes:

• Using unique cache keys: Ensuring that each resource has a distinct key, even if URLs appear similar.
• Properly handling HTTP redirects: Avoiding redirect chains and using secure redirection methods.
• Setting appropriate caching headers: Configuring caching headers to prevent sensitive data from being cached unnecessarily.