Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Browser History Is Showing

Posted by samzenpus on from the wasted-days-and-wasted-art dept.

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

16 of 174 comments (clear)

  1. black image by Red+Flayer · · Score: 4, Funny

    I tried it.

    I got a black screen (apparently no history to be shown).

    Either the engine is borked, or my privacy add-ins are working properly...

    Or possible the Oracle of Browser History has determined that my history is darker than the darkest dark, and refused to show images.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  2. Not mine by Monoman · · Score: 4, Informative

    No Script baby

    --
    Keep the Classic Slashdot.
    1. Re:Not mine by gazbo · · Score: 5, Informative

      No Script may help in this case, but not in general. There was a story here only a couple of weeks back talking about a pure CSS method for doing exactly this.

  3. This methodology is actually quite old by Anonymous Coward · · Score: 5, Insightful

    This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.

    This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.

    1. Re:This methodology is actually quite old by Vectronic · · Score: 4, Insightful

      Sniffing Browser History Without Javascript Some 20 days ago.

    2. Re:This methodology is actually quite old by Anonymous Coward · · Score: 4, Informative

      New about:config setting in FF 3.5:
      layout.css.visited_links_enabled

      If "visited" is a useful feature for you check out SafeHistory:

      Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites

  4. Re:Microsoft actually did something right by sam0vi · · Score: 5, Informative

    I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!

    --
    When my Karma level reaches 0 I feel in piece with the Universe
  5. Re:...So.... by MyLongNickName · · Score: 4, Insightful

    So, the choice is

    1. Allow everyone in the world to sniff my browsing history.
    2. give up the ability to see my own browsing history.

    Somehow, this doesn't seem right...

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  6. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  7. Re:...So.... by Jurily · · Score: 5, Insightful

    1. Allow everyone in the world to sniff my browsing history.
    2. give up the ability to see my own browsing history.

    How about

    3. treat this as a serious security risk and act accordingly (report the bug and use the browser that comes out first with a patch)

  8. Known since at least 2006 by ugen · · Score: 4, Informative

    http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

    Of course there is no reason this is still not fixed (by being able to disable a:visited style).

  9. Re:...So.... by uglyduckling · · Score: 4, Informative

    Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already. Perhaps the best compromise would be to allow changes to link style only within the domain of the page that's attempting to set that style. But it's still a major backward step in usability. The other option might be to disable link styles for pages that have greater than a certain number of links (say 50).

  10. Re:...So.... by Minwee · · Score: 4, Funny

    And nobody will until someone constructs a detailed history of the porn sites that Steve Ballmer, Sergey Brin and Mitchell Baker have visited.

  11. workaround in firefox by denominateur · · Score: 5, Informative

    in firefox:

      set layout.css.visited_links_enabled to FALSE in about config

    This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.

  12. Re:...So.... by MyLongNickName · · Score: 4, Funny

    I heard they collaborated and made their own.

    Please mod: -1, Ewwwww.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  13. I see London, by smackenzie · · Score: 4, Funny

    I see France,
    I see you shopping online at Victoria's Secret for underpants...