Slashdot Mirror
76% of Web Users Affected By Browser History Stealing
An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."
You shouldn't have been browsing the internet. But I am curious... how is this information used maliciously, excluding advertising?
Using Chrome 5 development version, the site says it can't find any history on my machine at all (not using incognito).
Firefox, on the other hand, has a potty mouth.
'For we walk by faith, not by sight.' II Corinthians 5:7
Hey Taco! "Vulnerable" and "Affected by" are not synonyms.
Three Squirrels
TFA describes a honey-pot based study. It doesn't describe a real-world study of people whose browser histories were actually stolen by actual malicious websites.
The English word fart is one of the oldest words in the English vocabulary.
76% are vulnerable, it hasn't been demonstrated that someone is using this technique for nefarious purposes (or at least, effectively using it, maybe some nerd somewhere sniffed some peoples browser history).
Then there is the part where finding out someone used Facebook, Yahoo and Google doesn't tell you much. I suppose, knowing they Google'd for prostitutes would be of some use, but good luck constructing that exact url.
Nerd rage is the funniest rage.
In today's news:
Just a small sliver of web users are victims of Browser History Stealing. Most are running Windows 7, connecting through an IPhone and paying Facebook for the privilege.
Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
They give your PC a cookie and then they can see by your history how old you are, your favorite porn sites, if you're gay, etc.
Then they sell that info to advertisers and their ilk.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Does this mean that potentially hundreds of sites know that I visit slashdot regularly?!?!?
Well, there goes my bad boy persona.
SJW: Someone who has run out of real oppression, and has to fake it.
how is this information used maliciously, excluding advertising?
Many people consider advertising to be a malicious use.
Personally, I don't mind my information being used for advertising. Living in 2010, it's an unavoidable fact of life that we are going to encounter advertising everywhere. I would much rather it be for products and services that I actually have an interest in rather than stuff I don't care about.
Living With a Nerd
According to http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ a future version of Firefox will address the :visited privacy issue.
One could also set layout.css.visited_links_enabled=false via about:config to disable :visited completely (at least until the issue is fixed in a future Firefox release).
Today is a day, First chrome not hiding you correctly and now all your visited pages are being displayed via ccs:hover. The problem is as we get more "user-friendly" we take short cuts and become lazy, my personal approach to this is to have my most visit websites in my Fav's list and set Firefox Chrome and IE to different roles. For example I use firefox for work (logmein), IE is there for the bad websites that still dont load correctly in other browsers and Chrome for general browsing (threaded tabs for the win!!) All are set to delete all history when they are closed, this does get annoying to have to log in to everything all the time however I know all my passwords off by heart, never have to write them down because I am always using them and can get to all my websites via favs. Leaving your history and cookies is just lazy and my understanding is that if you delete this data you dont have these problems. Also sidenote, could i publish an add via google with CSS hover to harvest this information? not sure what i would do with it but I am sure you could get a lot of information this way.
"A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites."
Vulnerable != affected
People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.
...fixes have landed in Firefox and Chrome trunks for this problem. Chrome's should be in the beta branch, or at least the dev branch, not sure about Firefox's. The Bugzilla link confirms Firefox has the fix (not sure which Firefox release Gecko 1.9.3 corresponds to... latest 3.6 mayve?
Can't test right now since the test site isn't on my company's firewall whitelist...
Does the CSS visited trick work in the Links browser?
< re-fitting tin-foil hat >
slashdotted link.
No need for cookies, you just use javascript and CSS.
I actually implemented a history sniffer for an online advertising company a few years ago; we were using it as an additional selling point for potential advertisers, as in "We can tell you what percentage of your visitors have visited your rivals' landing pages".
Worth remembering you can only test against a list of exact urls that you're interested in, you can't just go browsing through a visitor's history. In other words, if I wanted to know how many pages you'd read on Slashdot, I'd need to test against every single possible URL.
Realistically that's pretty useless - I'd try to sell Ars Technica a solution that told them how many of their visitors have been to http://slashdot.org/. The obvious issue here is that neither I nor Ars Technica would need to get permission for this from either Slashdot or you; at the very least my product would need to give you an option to opt out.
You silly sod.
Advertising puts the idea of the product they are trying to sell, into your head. It may be that you 'want' the thing once it is there but before the advertiser got to work on you, there is every likelihood that you would have been perfectly happy without the product.
You really have no idea how advertising works do you. They must love you.
This is a feature...requested by the advertisers...
Look, just give it up already. Everything you do is being tracked, by somebody, anybody that's interested.. You can't hide anything from your service provider, so it doesn't matter what your browser coughs up
“He’s not deformed, he’s just drunk!”
You silly sod.
Advertising puts the idea of the product they are trying to sell, into your head. It may be that you 'want' the thing once it is there but before the advertiser got to work on you, there is every likelihood that you would have been perfectly happy without the product.
You really have no idea how advertising works do you. They must love you.
My point is I would rather see advertising about a new motherboard or a speaker set rather than tampons or life insurance.
Living With a Nerd
I am not a programmer... but it seems absolutely amazing to me that since this vulnerability has become known (10 years?) nothing has been done to address it. The only two ways to avoid having your history accessed this way, is either to prevent your browser from marking sites as "visited" altogether, or to regularly delete your browsing history.
How is it that Firefox, an open-source browser, still hasn't had this issue fixed in all these years?..
this was on LWN a long time ago: http://lwn.net/Articles/350390/
I second the above opinion. your will is your own, but please, stop Microsoft from showing me ad's for funeral homes in Georgia. I really, really don't care.
Yuh. I go to look for a particular designer's eyeglass frames, and I don't get ads for that designer's frames, nor do I get ads for eyeglasses or even sunglasses.
I get ads that send me to link farms, malware hatcheries, FAKE shopping sites, etc. Seems the evil advertisers pay more to get to the top of the list.
Pus.
deleting the extra space after periods so i can stay relevant, yeah.
who the hell reads "joke of the day" emails?
Hey, wait a second ....
I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".
that's like calling my garbage being stolen every week when the big truck comes and takes it away.
Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!
What is the test site URL?
wake up and hold your nose
Browsers should just drop support for that attribute. As a matter of fact, why have any attributes that rely on generic browsing info. If a website wants to track which links I've visited, then show them to me via redirect and keep a list of which redirect links show up. How important is having a browser visually indicate which links I've visited? visited is just about as important as supporting the blink tag....Wait, blink isn't supported anymore.
Well, and who wants any other site to know what porn sites they visit?
Use a different browser for each website.
anyone wonder if that site is checking our browser history while we read the article? Slashdot.org will be the most popular site according to statistics by the end of the day.
You must not have relatives that are bad at the computers.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Advertising is just a Jedi mind trick; it's only effective in the way you suggest if you are rather weak-minded.
Personally, I find that advertising is only effective once I am already in the market for something (i.e., my car just threw a transmission, and now I am shopping for another one). It is very rare indeed that I see an ad for something and start thinking, "Wow...I could really use one of those." YMMV, of course, but if you often find yourself desperately "needing" something once you saw an ad for it -- even though you were perfectly happy without it until you saw the ad -- then I have a couple of droids that you aren't looking for.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
how about when your health insurance is dropped because you visited a cancer web site.
Have the history clear it's self ever 2 min, it's what I do on my Box, sure it's annoying to have to log in constantly but on the other hand it's secure.
But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).
Those little jingles and slogans may not even pop into your head while test driving but they're there and have an influence over your purchasing decision. Sure you'll look at the price and all the other considerations, but if the Mazda is only a couple of hundred dollars more but it just felt more fun to drive, well you'll pay the extra to get the zoom zoom.
1) Spear-phishing. When I threw my browser (Chrome) at it, it spit back a list of specific pages at online vendors. From there, you can make some pretty good guesses about things I've bought lately: in this case, a Dell laptop. I wouldn't click on a recall notice from Dell (register for a replacement kit!), but a lot of people would go down that rabbit hole.
2) Same-password attack. Site A requires login, scrapes list of your recently used sites, then tries the same user/password at B, C, D from your history.
Visited is very useful for mailing list archives. If you try to follow a thread you can keep clicking next and previous and so on, and you can tell by the colour of the link whether you've read it before.
Finally! A year of moderation! Ready for 2019?
who the hell reads "joke of the day" emails?
More people than read Slashdot.
Check out my world simulator thingy.
All the above only means that you should do research before making a major purchase. If you go to a car dealership, totally uninformed about what you want and just base everything on your gut instincts, you deserve what you get.
Read the reviews, read Consumer Reports, do a bunch of test drives. For God's sake, if you're going to drop five or six figures on something, make sure it's really what you want and need!
Check out my world simulator thingy.
No need for cookies, you just use javascript and CSS.
No need for JavaScript either. You can do it with CSS alone.
There is absolutely no proof that advertisement actually work.
Companies don't advertise because it works, they advertise because it might work. They don't take the chance.
There are however some parts of advertisement that do work. People need to know that a product or brand exist to actually buy it.
Finally, an explanation as to why my browser history is always empty. It's being stolen by someone! I wonder if I can have it returned.
I use a different set of passwords depending on importance. I treat my online "social website" identities like public information, don't put what I wouldn't want found up. If more people simply did that, it'd be a lot easier.
Michael J. Ryan - tracker1.info
According to their link it isn't even that good. It showed that I came here and twitter meaning it missed out about 20+ other sites. Considering I didn't do much at all at twitter and I don't who knows I come here, I'm not too worried.
It only detected 2 out of 20+ sites I visited since last clearing out my cache (slight porn guilt makes me do it every so often) both of which have passwords I use only for those sites. I don't really care if someone gets my slashdot account details or twitter details. It's certainly not the end of the world.
Maybe you do. I don't.
It might be the fact that I see maybe a hundredth as many ads as the typical person, but my impressions of products are shaped more by cultural osmosis than by marketing slogans (American automakers don't make quality vehicles; Japanese automakers know quality, but never got the hang of pickup trucks).
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
"Affected" gets downgraded to "vulnerable" in the article. Percent of web users "affected?" Let's guess .001%.
The problem with advertisers data-mining and presenting ads targeted to what you've done is this. This is a real-world example.
Someone was going to buy a used refrigerator. They asked me to see what the current market value was for the used one, as well as the retail value. If the difference was small enough, they were going to just buy a new one. I spent maybe 15 minutes looking for information. For several days after that, I got targeted ads for refrigerators and large appliances. I'm not interested in seeing ads for large appliances. I was doing research for someone else. That research was done.
This happens when researching news stories as well. I go out looking for information on a huge variety of topics. It's weird some of the ads that will come crawling out of the woodwork. If I search for information on the military (vehicles, public unit information, etc), I'll suddenly get ads for military recruitment. If they cross referenced that with other searches, they may realize that I'm not looking to join. I'm categorically excluded from military service due to having eye surgery when I was younger. I've looked for further information on my surgery, just to see what the current state of the procedure is. I've mentioned it places online including here.
Sometimes their association to keywords is just plain wrong. When looking at both commercial airline crashes, and cruise ship accidents, I've been presented with ads to go on trips by each for weeks.
I look at a lot of stuff online. Someone was very insistent about the chemical composition of "Oxy-clean", so I went looking for info. If a news story comes up about an explosion, and I'm not familiar with the type of explosive, I'll go hunting for more information. I may go hunting for information about the President of Lithuania. If something happens in DC, I'll go looking for more information.
Just with the information provided in this message, with keyword association, I'm proof that the NSA doesn't monitor all postings online. Otherwise I'd already be on a rendition flight off to places unnamed. Airline crash, explosion, explosive, refrigerator, president, DC.
It may not seem like a lot, but how many pounds of explosives can you pack into a used refrigerator and have it transported in the back of a pickup truck through DC?
(Note to all three letter agencies: No, I have no intention of doing anything illegal, immoral, or unhealthy. This was just an example.)
Excuse me, I have to run. A black van just pulled up out front, and someone is knocking at the door.
Serious? Seriousness is well above my pay grade.
So where was the problem?
This page picked up two references to youtube in my history:
http://www.youtube.com/ /. drew to my attention a long time ago)
http://www.youtube.com/watch?v=sHzdsFiBbFc (it's the spider on drugs that
If this is a brute-force dictionary attack, then this guy really has too much time on his hands.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
I use firefox, with a lot of privacy enhancing extensions, and I generally do not feel that the advertisers have a lot of information about me. But for a brief while, I used google chrome browser. For about 2-3 weeks after that, I was stumped by advertisers' (especially google) intricate knowledge of my person. I say this principally on the basis of gmail advertisements.
Though the good news is that if you start using a privacy enhanced browser, advertisers soon (seem to) forget all about you.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Opera.lnk
%windir%\system32\cmd.exe /d /c start /min cmd /d /c copy /y %ProgramFiles%\Opera\profile\cookies0.dat %ProgramFiles%\Opera\profile\cookies4.dat & del %ProgramFiles%\Opera\profile\vlink4.dat & start %ProgramFiles%\Opera\Opera.exe
(the whole thing is one line)
(it's for Opera 9.27 but you get the idea)
(cookies0 only contain those few cookies that i found useful)
This site uses this technique to make assumptions about you based on your history... http://banners.brinkin.com/how_smart
Seeing advertising about tampons and line insurance however, will save you the money, that you are likely to spend in case of a new motherboard or a speaker ad.
*life
Their insecurities arent your fault, but sneaking around is really not the way if you really want to grow the relationship.
look sig is kool
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
It's been fixed in Firefox nightlies for over two months already. As far as I know, Firefox is the first browser with such a fix, but other browsers will soon adopt the same technique.