Slashdot Mirror

← Back to Stories (view on slashdot.org)

76% of Web Users Affected By Browser History Stealing

Posted by CmdrTaco on from the seems-like-it-should-be-more dept.

An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."

12 of 130 comments (clear)

  1. English as Second Language by rueger · · Score: 4, Insightful

    Hey Taco! "Vulnerable" and "Affected by" are not synonyms.

    --
    Three Squirrels
  2. Re:If you didn't want your browser history detecte by digitalsushi · · Score: 3, Insightful

    Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  3. Re:If you didn't want your browser history detecte by Nadaka · · Score: 4, Insightful

    People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.

  4. Re:10 years = nothing done by GungaDan · · Score: 3, Insightful

    Doesn't unchecking the "keep my history" button under "privacy" take care of this?

    --
    Eloi are stupid, throw morlocks at them!
  5. Re:With Chrome by Tim+C · · Score: 2, Insightful

    There's a difference between my service provider potentially having the information, and some random website I happen to visit having it.

    --
    It's official. Most of you are morons.
  6. Re:If you didn't want your browser history detecte by commodoresloat · · Score: 2, Insightful

    who the hell reads "joke of the day" emails?

  7. Can't...imagine...caring... by RapmasterT · · Score: 3, Insightful

    I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

    that's like calling my garbage being stolen every week when the big truck comes and takes it away.

    Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

  8. Re:10 years = nothing done by Qzukk · · Score: 2, Insightful

    I think the most appropriate way is to prevent :visited from applying to any URL not within the current domain.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  9. Re:To be fixed in a future Firefox version by CKW · · Score: 2, Insightful

    It used to be an important/useful feature of the web/html -- until "website designers" decided that they didn't like the look and started making certain that all links looked the same, and other things that also made it stop working.

    I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

    This was grossly unintentional right? Someone didn't choose to implement this specific behaviour, right?

  10. Re:If you didn't want your browser history detecte by boxwood · · Score: 2, Insightful

    But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).

    Those little jingles and slogans may not even pop into your head while test driving but they're there and have an influence over your purchasing decision. Sure you'll look at the price and all the other considerations, but if the Mazda is only a couple of hundred dollars more but it just felt more fun to drive, well you'll pay the extra to get the zoom zoom.

  11. Re:10 years = nothing done by Anonymous Coward · · Score: 1, Insightful

    The problem with that is that will break the page layout for any links which are external to your site. I think the best way to handle it would be to preload all :visited related images at page load. Needed or not. This will result in expected page layout, and it won't be possible to infer which links where already visited. Possibly a memory hog, but browsers can also detect when a page tried to load 10,000 :visited related images and flag as possibly malicious.

  12. Re:Chrome 5 by BZ · · Score: 2, Insightful

    Firefox development versions don't have this issue. The last shipped release does. But were you comparing apples (cutting edge development builds) to oranges (releases that shipped a while back)?