Sniffing Browser History Without Javascript

Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."

Old stuff

[kasot]

The CSS history hack has been known since (at least) August 2006: http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html [blogspot.com]

big issue is NoScript

[bcrowell]

I'd care a lot more about this if NoScript was still a viable option. NoScript has become malware at this point. [wikipedia.org] The real issue is the need for someone more trustworthy to make a simpler, and more trustworthy replacement for NoScript. Please? Pretty please?

Re:Will it..

[orange47]

its easy to tell, with that nickname of yours.. :)

Doesn't work on me

[MrMista_B]

Doesn't work on me - Firefox, with adblock plus, element hiding helper, and flashblock, running whatever the latest Ubuntu is.

Re:For the Masses

[digitalunity]

Maybe just clear your cache more often. It's easy, fast and good practice. Ctrl-Shift-Del, press enter.

Do this every time you close FF.

Re:Old stuff

[Anonymous Coward]

Long before that, honestly.

There are Firefox extensions that can help protect against this (see http://www.safecache.com/ and http://www.safehistory.com/ ), but they break enough things on the web that even their creators admit they're not terribly practical.

(Disclaimer: Two of the folks that worked on this also worked for awhile on Chromium with me.)

Re:Old stuff

[zmooc]

Bug 57351 - css on a:visited can load an image and/or reveal if visitor been to a site
Reported: 2000-10-19 16:57 PDT by Jesse Ruderman

Re:It requires an iframe, so noscript will help yo

[yacc143]

It does not require an iframe. It's just that this way it's easier to hide any visual clues.

The basic hack works simple. It sets a different style for visited links. (As such it will only match exact URLs). And one of the cool things your style for visited links specifies is a background URL that works as a webbug.

yacc

Re:big issue is NoScript

[gavron]

You CAN mod and comment. When you make the comment, the mods you made go away. If you comment first, you cannot mod.

So the mods could come in here and explain, but then their mods would be gone :)

Heisenberg, we hardly knew ya.

E

Re:big issue is NoScript

[mrmeval]

He was trying to work around a problem with easylist and handled it badly but easylist is as much to blame for targeting him.

He answers his emails if you care to ask but easylist has ignored me so far.

Re:For the Masses

[sootman]

Small but important distinction: this exploit is for browser history, not cache. That shortcut (or shift-command-delete* on a Mac) will bring up the 'clear private data' dialog which covers browser history (the one this exploit is for), download history, saved form and search history, browser cache, and other items.

* Unlike PCs, which have 'backspace' and '(forward) delete' buttons, Macs have two buttons labeled 'delete' or 'del'--the big one which is backspace, and the small one next to help, home, end, etc., which is forward delete. That's the one you need for this shortcut. I imagine laptop users and people who use those new small keyboards are SOL.

Re:Web Bug Blockers

[Snowblindeye]

You should only load remote images on demand.

[...]

Yeah , I know must be new here..

You're not new here, I can tell by the fact that you didn't read the article. Or the summary ;)

This feature actually works like you want it to: It *does* load on demand. And that's the problem here. If it always loaded it this exploit wouldn't work. Its based on only being loaded on demand.

Re:Old stuff

[glodime]

Bug 57351

Was marked ass a duplicate of 147777
See: https://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]

Vitaly Sharovatov and Walt Gordon Jones have an interesting back and forth on ideas for a proper fix. Search the page linked below for "Walt Gordon Jones" to follow the conversation.
http://sharovatov.wordpress.com/2009/04/21/startpaniccom-and-visited-links-privacy-issue/ [wordpress.com]

Walt Gordon Jones summarizes his point:

The idea that the only way to protect your history data is to give up keeping history at all seems broken to me. Just because the information is in the browser, and I may use it in other ways, doesn't mean it has to be used to mark up the rendered HTML on sites I visit. There's nothing that inextricably ties history to the browser's rendering engine.

Re:Chrome

[Z80xxc!]

would be a lot easier if I could run two separate instances of Firefox simultaneously.

Send Firefox developers a polite nasty-gram, telling them that you want the ability to open a second, third, or even fourth instance of FF in seperate memory space.

This functionality already exists [mozillazine.org].

"%programfiles%\Mozilla Firefox\firefox.exe" -P "profile to use" -no-remote

Re:big issue is NoScript

[VGPowerlord]

If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

From what I hear, he only "apologized" and fixed the problem for several reasons:
1. Because the Firefox devs said that NoScript was breaking Firefox's Add-on Policy [mozilla.org] when it started monkeying around with AdBlock Plus.
2. NoScript's rating was plummeting on the Firefox Add-on site. If this rating drops too much, NoScript would no longer be considered a trusted add-on, and therefore every version would be subject to security review before it exited the Sandbox [mozilla.org].

Oh, yes, you read that correctly. NoScript is currently not reviewed before new versions go up on the Firefox add-on site.

Incidentally, Mozilla made a new policy [mozilla.com] spelling out some restrictions for add-ons after this incident.

Re:In Soviet Russia, web sites visit you

[Blakey Rat]

So... you posted just to brag about the extreme efforts you go to to support your irrational paranoia?

Thanks, I guess?

simple block

[Anonymous Coward]

putting the rule
a:visited {
          background:none !important;
in userContent.css seems to stop this particular scan.

since years

[Anonymous Coward]

I have written bug reports which got no attention at all. For years I was laughed at in forums for describing this problem.

There are some tools, which don't get updated anymore, safecache and safehistory. Here are papers from 2006:

http://crypto.stanford.edu/sameorigin/ [stanford.edu]

cb

Easy to block in Firefox

[Anonymous Coward]

This is for FF 3.0. YMMV with other versions and other browsers.

Go to Preferences -> Advanced -> General. Under "Accessibility" check the option for "Warn me when web sites try to redirect or reload the page".

The attack relies on trying a lot of links ... but with the above setting FF warns on each attempt, with a warning across the top of the page saying "Firefox prevented this page from automatically redirecting to another page". So the attack could proceed if you sat there clicking the "approve" button constantly. But after the second or third warning, well, I hope you'd become suspicious.

Re:Old stuff

[pavon]

No it wouldn't. Most legitimate sites don't do anything exotic with the visited property, they just change color or font properties. Even those that do use the background property or some other property that accepts urls will have a single url that applies to all or a large class of visited links. The only sites that would generate a lot of bandwidth are the tiny minority that intentionally have a different visited resource for each link on their site. They have an interest in keeping this bandwith low themselves and will make those resources to be as small as possible. Hell, the CSS dictating all these resources might even be as large as the resources themselves. Honestly, this is a complete non-issue compared to the bandwidth problems caused by plain old bad site design.

Disable :visited in Firefox

[Anonymous Coward]

layout.css.visited_links_enabled = false

Re:Disable :visited in Firefox

[fcparfait]

layout.css.visited_links_enabled = false

Note: this works only in Firefox 3.5 (Beta/Preview).

By the way, if you are using Firefox 3.5 with layout.css.visited_links_enabled = false and you still want some visual clue for visited links, try my Link Status extension [mozilla.org]! (How pushy....)

Re:Old stuff

[zobier]

Alternatively, add
a:visited { background-image: none ! important; }
To your userContent.css
I can confirm that this works.

layout.css.visited_links_enabled

[Anonymous Coward]

or change the about:config setting called "layout.css.visited_links_enabled"

Re:layout.css.visited_links_enabled

[Anonymous Coward]

Does this work? It doesn't exist as a default entry, so I used a clean profile (no extensions, but few entries in the history for this test) and created a boolean key of that name and set it to false and the demo site still pulled my history, I also tried setting it to true just to be sure, same result.