Practical Keystroke Timing Attacks in Sandboxed JavaScript

Moritz Lipp*, Daniel Gruss, Michael Schwarz, David Bidner, Clémentine Maurice, Stefan Mangard

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


Keystrokes trigger interrupts which can be detected through software side channels to reconstruct keystroke timings. Keystroke timing attacks use these side channels to infer typed words, passphrases, or create user fingerprints. While keystroke timing attacks are considered harmful, they typically require native code execution to exploit the side channels and, thus, may not be practical in many scenarios. In this paper, we present the first generic keystroke timing attack in sandboxed JavaScript, targeting arbitrary other tabs, processes and programs. This violates same-origin policy, HTTPS security model, and process isolation. Our attack is based on the interrupt-timing side channel which has previously only been exploited using native code. In contrast to previous attacks, we do not require the victim to run a malicious binary or interact with the malicious website. Instead, our attack runs in a background tab, possibly in a minimized browser window, displaying a malicious online advertisement. We show that we can observe the exact inter-keystroke timings for a user’s PIN or password, infer URLs entered by the user, and distinguish different users time-sharing a computer. Our attack works on personal computers, laptops and smartphones, with different operating systems and browsers. As a solution against all known JavaScript timing attacks, we propose a fine-grained permission model.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings
PublisherSpringer-Verlag Italia
Number of pages19
Volume10493 LNCS
ISBN (Print)9783319663982
Publication statusPublished - 2017
Event22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway
Duration: 11 Sept 201715 Sept 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10493 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference22nd European Symposium on Research in Computer Security, ESORICS 2017


  • Fingerprint
  • Interrupt
  • JavaScript
  • Keystroke
  • Side channel

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Practical Keystroke Timing Attacks in Sandboxed JavaScript'. Together they form a unique fingerprint.

Cite this