Slashdot Mirror

← Back to Stories (view on slashdot.org)

76% of Web Users Affected By Browser History Stealing

Posted by CmdrTaco on from the seems-like-it-should-be-more dept.

An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."

8 of 130 comments (clear)

  1. Chrome 5 by binkzz · · Score: 4, Interesting

    Using Chrome 5 development version, the site says it can't find any history on my machine at all (not using incognito).

    Firefox, on the other hand, has a potty mouth.

    --
    'For we walk by faith, not by sight.' II Corinthians 5:7
  2. English as Second Language by rueger · · Score: 4, Insightful

    Hey Taco! "Vulnerable" and "Affected by" are not synonyms.

    --
    Three Squirrels
    1. Re:English as Second Language by Anonymous Coward · · Score: 5, Funny

      In other words, I'm vulnerable to a sexual attack by Scarlett Johansson. Unfortunately, I've never been affected by such an attack.

  3. vulnerable != affected by chebucto · · Score: 5, Informative

    TFA describes a honey-pot based study. It doesn't describe a real-world study of people whose browser histories were actually stolen by actual malicious websites.

    --
    The English word fart is one of the oldest words in the English vocabulary.
  4. 94%? by Thanshin · · Score: 4, Funny

    In today's news:

    Just a small sliver of web users are victims of Browser History Stealing. Most are running Windows 7, connecting through an IPhone and paying Facebook for the privilege.

  5. To be fixed in a future Firefox version by Anonymous Coward · · Score: 5, Informative

    According to http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ a future version of Firefox will address the :visited privacy issue.

    One could also set layout.css.visited_links_enabled=false via about:config to disable :visited completely (at least until the issue is fixed in a future Firefox release).

    1. Re:To be fixed in a future Firefox version by boxwood · · Score: 5, Informative

      the website doesn't get a list of websites.

      what happens is the server sets the visited link to show an image, while the unvisited link doesn't. The browser sees that an image is supposed to be displayed for the visited site, checks its history, sees that you have indeed visted that site and then downloads that image to display on the link. The server sees that you downloaded visited-slashdot.png... so it knows you have visited slashdot.

      Of course visited-slashdot.png doesn't even need to exist, it just needs to see the request for that file from your browser to know you've been there.

      Really CSS just shouldn't allow different images for visited and unvisited links... nobody uses this feature.

  6. Re:If you didn't want your browser history detecte by Nadaka · · Score: 4, Insightful

    People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.