Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Browser History Is Showing

Posted by samzenpus on from the wasted-days-and-wasted-art dept.

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

5 of 174 comments (clear)

  1. This methodology is actually quite old by Anonymous Coward · · Score: 5, Insightful

    This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.

    This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.

  2. Re:Microsoft actually did something right by sam0vi · · Score: 5, Informative

    I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!

    --
    When my Karma level reaches 0 I feel in piece with the Universe
  3. Re:...So.... by Jurily · · Score: 5, Insightful

    1. Allow everyone in the world to sniff my browsing history.
    2. give up the ability to see my own browsing history.

    How about

    3. treat this as a serious security risk and act accordingly (report the bug and use the browser that comes out first with a patch)

  4. Re:Not mine by gazbo · · Score: 5, Informative

    No Script may help in this case, but not in general. There was a story here only a couple of weeks back talking about a pure CSS method for doing exactly this.

  5. workaround in firefox by denominateur · · Score: 5, Informative

    in firefox:

      set layout.css.visited_links_enabled to FALSE in about config

    This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.