Slashdot Mirror

← Back to Stories (view on slashdot.org)

76% of Web Users Affected By Browser History Stealing

Posted by CmdrTaco on from the seems-like-it-should-be-more dept.

An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."

27 of 130 comments (clear)

  1. Chrome 5 by binkzz · · Score: 4, Interesting

    Using Chrome 5 development version, the site says it can't find any history on my machine at all (not using incognito).

    Firefox, on the other hand, has a potty mouth.

    --
    'For we walk by faith, not by sight.' II Corinthians 5:7
    1. Re:Chrome 5 by BZ · · Score: 2, Insightful

      Firefox development versions don't have this issue. The last shipped release does. But were you comparing apples (cutting edge development builds) to oranges (releases that shipped a while back)?

    2. Re:Chrome 5 by xOneca · · Score: 2, Informative
      Actually, the CSS code for detecting :visited links is

      a#l15920:visited {background:url(/l?i=15920)}

      with compaining HTML:

      <a href="http://chickipedia.com" id="l15920">.</a>

      That is, it loads a specific URL when a particular web page has been visited. So the detection is made by the browser, but the data is collected by the server as a purposedly side effect.

  2. English as Second Language by rueger · · Score: 4, Insightful

    Hey Taco! "Vulnerable" and "Affected by" are not synonyms.

    --
    Three Squirrels
    1. Re:English as Second Language by Anonymous Coward · · Score: 5, Funny

      In other words, I'm vulnerable to a sexual attack by Scarlett Johansson. Unfortunately, I've never been affected by such an attack.

    2. Re:English as Second Language by olsmeister · · Score: 3, Funny

      You're also vulnerable to a sexual attack by Mr T. However I hope you are never affected by that attack either.

  3. vulnerable != affected by chebucto · · Score: 5, Informative

    TFA describes a honey-pot based study. It doesn't describe a real-world study of people whose browser histories were actually stolen by actual malicious websites.

    --
    The English word fart is one of the oldest words in the English vocabulary.
  4. 94%? by Thanshin · · Score: 4, Funny

    In today's news:

    Just a small sliver of web users are victims of Browser History Stealing. Most are running Windows 7, connecting through an IPhone and paying Facebook for the privilege.

  5. Re:If you didn't want your browser history detecte by digitalsushi · · Score: 3, Insightful

    Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  6. To be fixed in a future Firefox version by Anonymous Coward · · Score: 5, Informative

    According to http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ a future version of Firefox will address the :visited privacy issue.

    One could also set layout.css.visited_links_enabled=false via about:config to disable :visited completely (at least until the issue is fixed in a future Firefox release).

    1. Re:To be fixed in a future Firefox version by CKW · · Score: 2, Insightful

      It used to be an important/useful feature of the web/html -- until "website designers" decided that they didn't like the look and started making certain that all links looked the same, and other things that also made it stop working.

      I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

      This was grossly unintentional right? Someone didn't choose to implement this specific behaviour, right?

    2. Re:To be fixed in a future Firefox version by boxwood · · Score: 5, Informative

      the website doesn't get a list of websites.

      what happens is the server sets the visited link to show an image, while the unvisited link doesn't. The browser sees that an image is supposed to be displayed for the visited site, checks its history, sees that you have indeed visted that site and then downloads that image to display on the link. The server sees that you downloaded visited-slashdot.png... so it knows you have visited slashdot.

      Of course visited-slashdot.png doesn't even need to exist, it just needs to see the request for that file from your browser to know you've been there.

      Really CSS just shouldn't allow different images for visited and unvisited links... nobody uses this feature.

  7. Re:If you didn't want your browser history detecte by Nadaka · · Score: 4, Insightful

    People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.

  8. Re:If you didn't want your browser history detecte by Anonymous Coward · · Score: 3, Informative

    No need for cookies, you just use javascript and CSS.

    I actually implemented a history sniffer for an online advertising company a few years ago; we were using it as an additional selling point for potential advertisers, as in "We can tell you what percentage of your visitors have visited your rivals' landing pages".

    Worth remembering you can only test against a list of exact urls that you're interested in, you can't just go browsing through a visitor's history. In other words, if I wanted to know how many pages you'd read on Slashdot, I'd need to test against every single possible URL.

    Realistically that's pretty useless - I'd try to sell Ars Technica a solution that told them how many of their visitors have been to http://slashdot.org/. The obvious issue here is that neither I nor Ars Technica would need to get permission for this from either Slashdot or you; at the very least my product would need to give you an option to opt out.

  9. 10 years = nothing done by TheMeuge · · Score: 2, Interesting

    I am not a programmer... but it seems absolutely amazing to me that since this vulnerability has become known (10 years?) nothing has been done to address it. The only two ways to avoid having your history accessed this way, is either to prevent your browser from marking sites as "visited" altogether, or to regularly delete your browsing history.

    How is it that Firefox, an open-source browser, still hasn't had this issue fixed in all these years?..

    1. Re:10 years = nothing done by GungaDan · · Score: 3, Insightful

      Doesn't unchecking the "keep my history" button under "privacy" take care of this?

      --
      Eloi are stupid, throw morlocks at them!
    2. Re:10 years = nothing done by TheCycoONE · · Score: 2, Informative

      http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx is an article on the subject.

      Essentially the vulnerability is a feature of the spec. Even without JavaScript or cookies, the CSS specification allows a web developer to specify that a particular icon/cursor/background-image should be shown for visited links. The exposure is that the client only downloads resources when they are needed to preserve bandwidth, and the server knows what has been requested from it, so I could put in then put somewhere in my css #google:visted { background: url("userwenttogoogle.png"); }

      The problem is the only way to protect against the vulnerability is to remove features which are part of the spec (potentially breaking legitimate and standard compliant web pages), to download all resources (wasting lots of bandwidth), or putting the user in control (probably more annoying than useful as most users won't understand the dialog)

    3. Re:10 years = nothing done by psbrogna · · Score: 3, Informative

      I don't think you're correct in your list of options for protecting against the vulnerability. As a general principal, client side code from an untrusted source (ie. the web) should only have access to client side content which originated from the same source. In the case we're talking about, the content has been modified by the client based on private client state (ie. visited links), at this stage, the content should no longer be accessible to the code. If the rendering pipeline were more compartmentalized (ie. think XSLT translation steps), then code in one department wouldn't have access to content that has been modified based on private client state.

      In this manner, the client environment could modify the content at will (ie. changing style for links to web sites you've been to, blocking ads, stripping flash, turning off client side code functionality entirely, etc.) without fear of what's being harvested or inferred. I don't know what a client's browser does to a dom to make it consumable by the deaf or blind, but if that's something that can be detected by untrusted code then I believe it's another example of violating a user's privacy.

    4. Re:10 years = nothing done by tuomasb · · Score: 3, Informative

      Here is a demonstration of the hack using only CSS: http://ha.ckers.org/weird/CSS-history.cgi You can also use: background: url"(logger.php?site=pornsite.com"); No need for the background to be a real image. This even works if you're using Noscript with Firefox.

    5. Re:10 years = nothing done by Qzukk · · Score: 2, Insightful

      I think the most appropriate way is to prevent :visited from applying to any URL not within the current domain.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:10 years = nothing done by daveime · · Score: 2

      Or after you open 4 tabs in Firefox.

  10. Re:With Chrome by John+Hasler · · Score: 3, Funny

    > Look, just give it up already. Everything you do is being tracked, by
    > somebody, anybody that's interested.. You can't hide anything from your
    > service provider...

    I rather doubt that my ISP or anyone else knows my private GPG key.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  11. Re:With Chrome by Tim+C · · Score: 2, Insightful

    There's a difference between my service provider potentially having the information, and some random website I happen to visit having it.

    --
    It's official. Most of you are morons.
  12. Re:If you didn't want your browser history detecte by commodoresloat · · Score: 2, Insightful

    who the hell reads "joke of the day" emails?

  13. Re:If you didn't want your browser history detecte by daremonai · · Score: 3, Funny
    Yeah, if I see those ads one more time I think I'll die!

    Hey, wait a second ....

  14. Can't...imagine...caring... by RapmasterT · · Score: 3, Insightful

    I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

    that's like calling my garbage being stolen every week when the big truck comes and takes it away.

    Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

  15. Re:If you didn't want your browser history detecte by boxwood · · Score: 2, Insightful

    But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).

    Those little jingles and slogans may not even pop into your head while test driving but they're there and have an influence over your purchasing decision. Sure you'll look at the price and all the other considerations, but if the Mazda is only a couple of hundred dollars more but it just felt more fun to drive, well you'll pay the extra to get the zoom zoom.