Slashdot Mirror

← Back to Stories (view on slashdot.org)

History Sniffing In the Wild

Posted by Soulskill on from the smells-fishy dept.

An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."

6 of 96 comments (clear)

  1. Re:Plug the leak in Firefox by The+MAZZTer · · Score: 4, Interesting

    You shouldn't even need to go that far, Mozilla plugged most of the leak. I'm not sure if this made it into 3.6 though... might want to wait for 4.0?

  2. A simple fix by VernonNemitz · · Score: 3, Interesting

    In Firefox, even older versions (and perhaps some of the other browsers out there), you can change your "visited links" color (via Edit, Preferences, Appearance, Colors) to something other than purple. Then this script won't work. More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

  3. Re:Javascript... by 0123456 · · Score: 3, Interesting

    And HTML differs from Javascript how? Or how about an image?

    Neither HTML or JPEG files are Turing-complete programming languages. Sure, your HTML or JPEG parser might have bugs that allow remote exploits, but that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

  4. Use multiple browsers by mbone · · Score: 3, Interesting

    My recommendation is to use multiple browsers.

    Say you use Firefox for your web searches.

    Then run Facebook on Safari (say)

    Anything google on Opera.

    Any porn on Chrome.

    Etc.

    There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.

  5. Re:Javascript... by 0123456 · · Score: 3, Interesting

    No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

    Duh, we're not talking about remote exploits running arbitrary machine code on your system. We're talking about Javascript being a privacy-stealing monster _BY DESIGN_.

  6. Re:YouPorn script by camperslo · · Score: 3, Interesting

    What about Firefox hidden history data?

    Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
    How secure is that??

    Note that entering "about:config" in the address bar allows editing the config settings.