Slashdot Mirror
Your Browser History Is Showing
tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."
Comment removed based on user account deletion
That I would not want to look at the browser history of the guy that is in the attached featured article picture.
So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.
Taxation is legalized theft, no more, no less.
It all depends on if your inprivate browser history changes the color of links when they are displayed (or in general obey the css style sheets for visited links). Perhaps someone with IE8 can test it out for us [I lack access to a windows machine]?
I tried it.
I got a black screen (apparently no history to be shown).
Either the engine is borked, or my privacy add-ins are working properly...
Or possible the Oracle of Browser History has determined that my history is darker than the darkest dark, and refused to show images.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
No Script baby
Keep the Classic Slashdot.
Being able to query whether or not I visit common sites is a far cry from my browser history being shown, but still this needs to be fixed.
How long until a politician gets busted for visiting a child pornography website?
And all it showed was pictures of raptors and deadbolts.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.
This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.
I went to the sniffing page linked from the summary and it stayed on 0% for 5 minutes so I guess it does not work for me.
NoScript (I presume) saves the day again!
Microsoft actually did something right
You mean like the mode Safari had 4 years ago?
The whole world can see my pr0n and um...blogs....and it totally dosen't crash all mai machinez!
Can we please just have something that doesn't give up our privacy every three seconds? If you like having a browser history or enjoy the benefits of javascript, you're screwed. The only answer is to disable one or both of those.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!
When my Karma level reaches 0 I feel in piece with the Universe
Comment removed based on user account deletion
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://web2.0collage.com/app/;((%22k%22%20.%20%22(1970%201%2079269687)%22))
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct connections to origin servers, and
* All configured parent caches are currently unreachable.
Your cache administrator is webmaster.
Generated Thu, 02 Jul 2009 14:23:14 GMT by nullsleep.csclub.uwaterloo.ca (squid/2.7.STABLE3)
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
Of course there is no reason this is still not fixed (by being able to disable a:visited style).
Thanks for pointing out! I now realize you can do the whole thing, including server communication, in CSS. Just combine the "visited" tag with a unique background image on the same server. The background image URL can then be the server-side script that handles the privacy violation.
Quote from the final page of the script:
You can get your web2.0collage as a mug,wommens ...
I can have it as WHAT ? Okay, then can i have my wommens without the /. favicon all over them ?
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
who the hell is that guy in the picture?
Maybe it's an old story but I found this site that uses the same technique:
http://www.schillmania.com/random/humour/web20awareness/
He just typed, "15/f/CA".
It's like a collage of my favorite porn sites.
THL phish sticks
Am I the only person who simply doesn't keep a browser history? I set my Firefox not to and it works fine.
I am using Firefox 3.0.11 on Ubuntu 9.04 with a T7500 CPU (Core 2 Duo 2.2 GHz).
That site pegged one core of my CPU.
Really? That would be damn obvious, not to mention most people would see the slow down and close the browser.
in firefox:
set layout.css.visited_links_enabled to FALSE in about config
This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.
I tested it in Chrome's Incognito Window and the site was unable to detect my browser history. When I tested Chrome in regular mode, it found all kinds of good stuff.
Signature applied for, Patent Pending
Although I get the impression its randomly failing what with the slashdot load and being written in an interperted language. I put up a picture here.
I see France,
I see you shopping online at Victoria's Secret for underpants...
The results are rather disappointing.
A t-shirt!?!?!?
Why does this jackass misspell 'women'?
Why the fuck is this even possible?!?!?
http://www.cs.princeton.edu/sip/pub/webtiming.pdf
With its "inprivate" browsing mode in IE8. Since it doesn't track your history, I'm assuming that it your "inprivate" history can't be "sniffed".
The same as the Safari "private browsing" mode, I assume.
http://www.geoffreylandis.com
The requested URL could not be retrieved
While trying to retrieve the URL: http://web2.0collage.com/app/;...
The following error was encountered:
Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
Being on slashdot!
imagemagick bindings that leak memory
a hard limit of 4gb in a 64bit version of mzscheme for reason's I don't know
Your cache administrator is webmaster.
Generated Thu, 02 Jul 2009 15:32:25 GMT by nullsleep.csclub.uwaterloo.ca (squid/2.7.STABLE3)
Taking guns away from the 99% gives the 1% 100% of the power.
use the niche browsers for your private surfing and IE/Firefox for important things
ERROR The requested URL could not be retrieved
While trying to retrieve the URL: http://web2.0collage.com/app/;(a12v)
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* Being on slashdot!
* imagemagick bindings that leak memory
* a hard limit of 4gb in a 64bit version of mzscheme for reason's I don't know
Your cache administrator is webmaster.
Generated Thu, 02 Jul 2009 15:32:25 GMT by nullsleep.csclub.uwaterloo.ca (squid/2.7.STABLE3)
Javascript runs locally on my own computer; so I'm sniffing myself?
On a stock Firefox 3.0.11 on a fresh install and no extensions, I visited about 20 popular sites (facebook.com, digg.com, xnxx.com and the like), then tried the history site. Just a big black png. Either the script is /.ed or I don't know the right sites to visit.
Thank for reading to the sig. You may stop reading now. It is safe. There is no more content. Why are you still reading?
Same for me only I don't have history disabled. NoScript just didn't allow the scanning.
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
*
Being on slashdot!
* imagemagick bindings that leak memory
* a hard limit of 4gb in a 64bit version of mzscheme for reason's I don't know
Except that it isn't so private. http://uneasysilence.com/archive/2008/03/13061/
This space for rent.
I'm stunned this is still exploitable. This bug is YEARS old.
Yawn... been waiting for the collage for about ten minutes so far but the progress bar seems stuck at 0%.
I wonder if it has something to do with the unchecked "Enable JavaScript" checkbox I have displayed at the bottom of my Opera 10 window.
Go permanent? In your dreams and my worst nightmares.
Hate to tell you, this /.'d sites methods are... Extremely overkill.. You can do the same thing without any Javascript at all.. So your little 'No Script' bubble has just been popped. http://www.making-the-web.com/misc/sites-you-visit/nojs/
Has it been forgotten that a few weeks ago a more advanced form of this 'sniffing' was shown NOT using javascript? http://it.slashdot.org/story/09/06/13/2125211/Sniffing-Browser-History-Without-Javascript So, y'all that thing 'Oh, No Script protects me' think again.. This exploit has been around for years and I'm pretty sure it's been used for quite some time as well. Maybe I'm just apathetic about people knowing what sites I visit but... Meh, let them know, what harm could it do? (Yea, I know, I don't visit child porn so what do I have to hide?) :)
sits at 0% forever. ff+noscript+linux
They must have fixed it. It doesn't show any sites on my machine.
And that article is 17 months old. That issue has long since been fixed.
mod this up. that's scary that it can be done without javascript, and practically in every browser.
my collage only has slashdot and ars technica symblos...and I vist a LOT of other sites
Yes, but Microsoft can't protect you from Linus Torvalds. He takes one look at your desktop and knows which porn sites you visited. In the last ten years.
I have been on the internet since 1995, and let me state, I couldn't care less if people see what I am browsing.
The Tin Foil hat Anon-program running people have always amused me. If some person really wants to see what websites I visit, I truely don't care.
I remember back in 1998 or so when everyone freaked out about Cookies, and I had many friends that made it so their browser would reject any website that tried to set one.
IMO people freaking out about privacy is just a way for people to feel important.
Mine showed just four slashdot favicons in a square... :)
Should I start to go on other web2.0 websites?
http://web2.0collage.com/app/;((%22k%22%20.%20%22(1014%205%2031402284)%22))
eliphas
http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx
Granted, some of you are concerned about people finding out the sites you visit, but what about a real world problem (or two)?
Some time back, there was an attack that threw a phony dialog pop-up saying that your timeout had been expired at your bank site. Combine that with being able to see *what* bank's site (and whether or not you have been at it recently). This could even be injected through a compromised ad-server system or the like. Maybe you don't even have to visit my site. There's some moving parts in there, but things like this, combined with click-happy-and-fill-in-personal-data user syndrome could make for some pretty sophisticated attacks.
From a private organization's perspective (many of whom have private systems, blocked off from the outer world) ... this can also be used to help map their internal network from the outside (just by one of their users visiting a site). Think about that after you visit your interal cisco web interface and then merrily tab into some other site.
I am particular about who I allow to set cookies, but not so much about my history (except that I do wipe it .. and other 'private data' when FF closes). don't know that I'll change that behavior yet, but will probably modify the config on visited site styles as some have suggested here.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
This one is less than two months old. http://www.switchingtomac.com/tutorials/how-to-make-safaris-private-browsing-feature-actually-private/
This space for rent.
I call shenanigans. All it gave me was a list of popular-looking sites many people could have visited, and at least 2 I've not heard of and do not appear in my browser history either.
So I downloaded Opera, a browser I have never used on this machine and has an empty browser history (last OS install about 8 months ago, last used Opera in the early 2000s) and got a similar (but slightly different) list of popular sites.
This is called a hoax, people. How hard is it for an oracle to go "ommmmmm I'm channeling the spirits who tell me you've visited wikipedia, google and imdb recently".
No shit sherlock, let me predict you've gone for a shit AND a piss in the last week. I bet you've also eaten something. Why is this a story?
Unless you want to browse by IP address there's no way to avoid DNS lookups when you're browsing, no matter what the browser does or doesn't store. There's also no way for the browser to disable that caching -- it's an OS-level function (in all OSes, not just OS X), not a browser feature.
It's silly anyway, because if someone is trying to track your DNS lookups it would likely be easier to simply listen for them on the network, or to guess against your network DNS cache, rather than to interface with your local cache. Unless your machine is already compromised, in which case they can see where you're browsing and what DNS queries you make no matter what OS or browser you're using, or what privacy settings you've got enabled.
Same, pretty happy about seeing a black square myself :)
I want to browse "safely"; protection against most XSS and sh1t like scripts reading my browser history, etc. However, I want the sites that I visit to "work" at the same time. Ya, NoScript is great, but with sites globally disallowed, the Internets are useless.
Can anyone offer some suggestions to reasonably lock down FF where a balance is struck between security and usability??
TIA, --ponga
What do you bet the script checks to see if firefox is browsing it and just throws up a black box in that case?
Only his tendency toward a dazed stupor prevented him from screaming aloud.
It did a lot of blinkin' and stuff then I got that :
An internal server error occurred. Please try again later.
Running safari 4 on a mac, normal browsing (not safe mode)
I wonder, still, if it would show the data locally or does the server really have access to it ?
There *was* a FireFox extension called SafeHistory which somehow supposedly allowed only the site itself to see which links you had visited. There was a companion extension called SafeCache which did similar things with respect to your cache to block information extraction that way.
Neither of them was ever updated for FireFox 3, so far as I know.
I tried visiting the site. After I had closed the first 100 security warning windows, I closed the tab. As far as I know, most browsers do give warnings whenever you are about to submit a form over an unencrypted connection. And as far as I know, most users disable those warnings. Any user who have those warnings turned on would notice this attack. I have seen some css variant a while back, that didn't produce the same kind of warnings. So to me it looks like this new attack is inferior to what was previously demonstrated. (Somebody suggested that the CPU usage would give away the attack. But if you have multiple tabs opens in is actually very difficult to find out which of them are responsible for the CPU and memory usage of the browser).
Do you care about the security of your wireless mouse?
Here, try this one which works without using Javascript at all.
I've been doing this with firefox for years. Just go to the privacy section of your options/preferences, and disable history, disable cookies, and tell it to clear your history every time you leave. Really I just have it set for no password/form/history saved, and only accept first party cookies until I close firefox, except for the white list I have so I don't have to keep on signing in to my usual sites.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Microsoft actually did something right
You mean like the mode Safari had 4 years ago?
Exactly. The 'something right' was copying features from better browsers.
Most human behaviour can be explained in terms of identity.
Tried the link with Firefox 3.5, and got a nice collage of icons of sites I visited.
However, switching to Private Browsing seems to block access to the browser history - I got the black square.
Cheers
Ubuntu + Firefox + NoScript, and both the other sniffer site AND the site you've mentioned come up with a big fat *nada*.
Ten minutes later & the first site tells me there's nothing found; scan completed on the second site & it reports squat.
I wonder what I'm doing that thwarts them both?
(This is NOT an attempt at flaming, this is an honest question to a serious issue.)
i concur, i tested too.