Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users

Abstract Many browser cache attacks have been proposed in the literature to sniff user’s browsing history. All of them rely on specific time measurements infer if a resource is or not. Unlike state-of-the-art, this paper reports novel cache-based attack that not timing but abuses HTTP cache-control and expires headers extract exact date when was cached by browser. The privacy implications are serious as information can only be utilized detect website visited user it also help build timeline visits. This goes beyond traditional history sniffing we observe patterns visit model behavior web. To evaluate impact our attack, tested all major browsers found them, except ones based WebKit, vulnerable it. Since requires present, crawled T ranco Top 100K websites identified 12, 970 detected with approach. Among 1, 910 deliver resources expiry dates greater than 100 days, enabling long-term tracking. Finally, discuss possible defenses at both standard levels prevent users from being tracked.