

Who am I: A mind reader (don't forget to view source) - alloyed
http://tinsnail.neocities.org/

======
mbrubeck
Here's the same exploit disguised as a game, to make it less obvious that it's
tricking the user into interacting with it:
[http://lcamtuf.coredump.cx/yahh/](http://lcamtuf.coredump.cx/yahh/)

Documentation of the game proof-of-concept:
[http://lcamtuf.blogspot.com/2013/05/some-harmless-old-
fashio...](http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-
fun-with-css.html)

~~~
Fuxy
Cool. That is a neat trick/exploit never heard of it before.

Thx. for the links.

------
shurcooL
Reminds me of that hunter2 password thing.
[http://www.bash.org/?244321](http://www.bash.org/?244321)

Basically, the website doesn't know which of the squares are red, that depends
on your browser state. By clicking the red squares, you're feeding it data.

The interesting observation I made out of this is that navigating there in an
incognito window prevents any links from being considered as visited. That's
good to know.

------
keerthiko
I could probably post a similar gizmo on HN with a results static page that
says

Your interests are: (some subset of) Programming Science Technology Games
<random other thing: Sports, TV, childcare, etc>

With literally no scripting, and everyone would find it "reasonably accurate"
:D

~~~
espadrine
> _Your interests are: (some subset of) Programming Science Technology Games
> <random other thing: Sports, TV, childcare, etc>_

Me being me, I clicked on random grey squares. I got exactly that.

There is a selection bias from the choice of URLs it provides.

~~~
ralfd
Haha, tried it out and you are right.

I an a bit disappointed by the results anyway. Something like gender guess,
sexual orientation, age range and political leaning would have been more
impressive than the programming/movies graph.

------
joev_
Heh. I clicked a few before I realized what was going on (looking at the
status bar shows the link, which somewhat gives it away). You could prevent
this by adding mouseover/out and onclick logic that removed the :href on hover
and just colored itself red.

~~~
asadlionpk
but i guess then it won't be red on hover.

~~~
martin-adams
But in that case, you can add CSS to make it red on hover.

------
lewisflude
This was really accurate to me. It seems they're using a:visited on several
domains to create the "red square" effect.

~~~
cynwoody
Yes.

And the only reason you have to click the red squares is to let it know which
ones are red. If you try to look up the color of a square using
GetComputedStyle, it always comes back gray. That was the resolution of
privacy Bug 147777† (":visited support allows queries into global history").

†[https://bugzilla.mozilla.org/show_bug.cgi?id=147777](https://bugzilla.mozilla.org/show_bug.cgi?id=147777)

~~~
pbhjpbhj
What about if you make a screen capture from the page and use coordinates to
read back the colours and correlate with the URLs? Seems a possibility based
on [http://stackoverflow.com/questions/9250505/how-to-upload-
a-s...](http://stackoverflow.com/questions/9250505/how-to-upload-a-screenshot-
using-html2canvas).

~~~
aendruk
html2canvas constructs its "screenshots" using information from the DOM, so
that wouldn't gain you anything but unnecessary complexity.

~~~
pbhjpbhj
Ah, OK, and other methods appear to produce blank images so presumably this
route is purposefully locked down too. A java app or add-on would do it but
they'd be a bit obvious for most users I'd think.

------
lrichardson
Question:

I know that the `:visited` exploit is handled by the browsers so that you
can't figure out by javascript what is going on...

but what if you used just CSS to figure it out? For instance, what if you
generated the CSS which had a unique image it requested via the `background-
image` property, stored the data on the server, then just requested the data
from the server after the fact?

Do the browsers prohibit the usage of url-based css properties on CSS
selectors with `:visited` or something? Does anyone have a link/reference to
how the exploits were patched up?

~~~
RussianCow
Yes, they prohibit anything that might be used for this purpose.[0] So the CSS
allowed for :visited selectors is limited to a small subset.

[0]: [https://hacks.mozilla.org/2010/03/privacy-related-changes-
co...](https://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-
css-vistited/)

~~~
lrichardson
Great. Thanks for the link.

------
biot
Here's a related Mozilla bug report from 2002 regarding the link visited
issue:
[https://bugzilla.mozilla.org/show_bug.cgi?id=147777](https://bugzilla.mozilla.org/show_bug.cgi?id=147777)

------
Conlectus
Original creator here. I'm super surprised to see this posted here.

I can answer any questions people have.

~~~
analog31
For those of us who don't know Javascript, I'll just ask in broad terms: What
is it, how's it work, what's it do?

~~~
amjd
It's a neat little hack to predict your interests among various categories.

The hundreds of grey boxes that you see are actually links to sites belonging
to different categories like programming, science etc. and the red ones are
those that you have visited (based on your browser history). The basic idea
here is of using the CSS selector a:visited to highlight visited links in red,
and by clicking the red boxes the users themselves reveal the sites they have
visited. The website then uses this information to draw a pretty pie chart
showing which categories the user is interested in.

~~~
xmonkee
Apart from making it seem like a game, is there any reason why the user has to
click the squares? Is there a way for the browser to report back which
elements are currently red?

~~~
_delirium
That used to be possible by reading the styling in JS, but that was considered
a privacy bug, since any website could slurp information from your browser
history. Therefore there was an overhaul of what kind of styling could be done
based on history, and what could be read back about it in JS:
[https://blog.mozilla.org/security/2010/03/31/plugging-the-
cs...](https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-
leak/)

------
tomasien
This just solved a huge problem I've been struggling with. This is beautiful -
I don't actually want to know the information I've been trying to access, but
it will make the experience better for the user. I now realize I don't HAVE to
know - the browser knows, and that's all that matters. I just have to teach
the browser what to do.

------
krat0sprakhar
If nothing else, I did get a good list of Programming and Engineering websites
:D - [http://pastebin.com/zrQ7EBnP](http://pastebin.com/zrQ7EBnP)

~~~
schme
This is OT, trivial and a bit silly: How did you intend the json file? I tried
with sublime but couldn't find anything to solve it. Didn't start an IDE for
this.

~~~
bombtrack
There's several JSON formatter packages that can be installed via Package
Control: cmd + shift + P, select "install package", then search for "json".
I'm not sure which one I have installed, but doing cmd + shift + P in a proper
context and typing "json" should give you an option for "Indent JSON" or
similar.

Otherwise, there's always sites like
[http://pro.jsonlint.com/](http://pro.jsonlint.com/)

------
danbruc
Obvious question - how was the list of URLs compiled? Some are really specific
like YouTube channels. On the other hand there are only 15 categories and
there are probably a lot of people that would not get a single match or only
something very generic like Wikipedia.

~~~
yzzxy
The coolest way would be cold, hard natural selection from Alexa top sites,
possibly with weighting placed to relevant sites at the introduction of the
dataset. Perhaps I will fork.

~~~
iopq
Your interests are: Google, Facebook, Youtube, Yahoo

~~~
pessimizer
Yeah - it might be even better to subtract the most common sites, so the
results are more peculiar to you.

------
collinjackson
Here's a paper about this technique: [http://www.ieee-
security.org/TC/SP2011/PAPERS/2011/paper010....](http://www.ieee-
security.org/TC/SP2011/PAPERS/2011/paper010.pdf)

------
3rd3
Couldn't one simply make a display:none on normal links and display:block on
:visited, then stack them all on top each other with position:absolute and
catch mouse events from each element via JS?

~~~
heycam
Browsers have a very limited set of properties that they allow in :visited
rules, and display isn't one of them.

------
krrishd
If you open the console and run this script, it'll click every single square,
giving a list of the most common types of sites in the array being used:

    
    
         for(i=0;i<$$('a').length;i++) {
           $$('a')[i].click()
         }

~~~
PurplePanda
I had to change it to start at i=1 to avoid clicking on the link to github and
leaving the page

~~~
krrishd
Ah, that makes sense, I wrote and ran the script before he open sourced it.

------
SahAssar
I remember reading about the old CSS history hack (an automated variation of
the same theme), which worked until FF4 and IE9.

It's quite interesting to see how such a seemingly simple feature (a:visited)
can completely override user privacy if not accounted for.

------
mataug
This is quite clever. By the way now I've got a nice list of blogs/websites
that I should probably read for various topics.

~~~
amjd
That's what I was thinking too. Here's a prettified list of the sites used:
[https://gist.github.com/amjd/acc5e108bfb2f29f050c](https://gist.github.com/amjd/acc5e108bfb2f29f050c)

~~~
lugg
Thanks so much. Been looking for an up to date blog roll like this for a
while.

------
irises_come
Hm. Do you really need interaction at all?

Can't you just :visited { margin/pos/whatever }, then probe the dom on that or
related elems to extract the juice? Or have browser vendors thought of this?

~~~
gburt
This is a very old attack that has numerous security measures to prevent you
from doing that now.

~~~
irises_come
I presumed as much. But if you can covertly jimmy the UI and parse the user's
interaction, you can more or less get at the history like that anyway.

I don't see any secure way to handle this besides disallowing :visited styling
entirely.

~~~
chc
I'm having a hard time following here. What is "covertly jimmying a UI" and
how would it allow you to exploit visited styles?

~~~
gburt
For a less "covert" example than I am sure the OP was thinking, you could have
"click the red button to continue" sort of like this page does. :)

~~~
eli
Wouldn't that also require a hundred same sized differently colored buttons,
just like this site?

~~~
btgeekboy
Not necessarily. What if the un-visited box was set to display:none? That
would leave you with just the visited boxes showing.

Now make it even less obvious: create a false box with the proper :visited
color. That's your bottom layer, your fallthrough if the user hasn't visited
any of them. Now position all of the :visited boxes as exactly the same size
and position over that bottom layer. Now, when the user clicks the button to
continue, they're guaranteed to click either your fallthrough ("user has none
of my sites") or one of those you are monitoring for.

The end result of all this is a page that says "Click the box to continue."

~~~
praptak
> Not necessarily. What if the un-visited box was set to display:none?

Then it would remain 'none' for the visited box too. Messing with 'display' is
disabled in 'visited' to prevent this class of workarounds.

------
Xeroday
Was on incognito and wondering why I didn't see any red squares...

~~~
mataug
That is, I am guessing, because there aren't any re-marketing cookies,history
and other markers when you open the page in incognito

~~~
ZoF
No, it was because incognito tabs don't have access to browser history.

This web-app's functionality is based entirely on browser history and has
nothing to do with 're-marketing cookies' or other 'markers'.

Not to mention that the parent commenter clearly understood this fact.

------
MrJagil
Interesting.

At first I thought it would deduct information about me by analysing which
squares I'd choose in what order and through other metrics like pacing.

------
cornholio
"Could not determine interests. (Pssst, If you did not get any red squares,
try visiting without being in Private or Incognito mode)"

Indeed I am unhackable.

------
abritishguy
I had a very similar idea a while back, except I was measuring
onAnimationFrame times with a carefully crafted CSS stylesheet to determine
which links were being painted as :visited automatically and completely hidden
from the user.

Accuracy varied a lot between computers but in ideal circumstances (only
browser running) it would have ~90% accuracy on each of 25 links I was testing
against - the test took about 8 secs to run though.

Interestingly it never worked particularly well in chrome - chrome seemed to
stop painting :visited elements after a certain amount which prevented it from
working.

------
neya
This is mind-blowing, mine was pretty accurate! I know I can view the source
code, but is this/similar code available from GitHub or somewhere for us to
use in our own weekend projects? (:

~~~
Conlectus
I hope to clean up the code and post it to GitHub tomorrow.

~~~
neya
Thank you very much, that is very nice of you! ^^

------
Conlectus
For anyone interested in the source, I started hosting it on GitHub at
[https://github.com/Conlectus/WhoAmI](https://github.com/Conlectus/WhoAmI).

~~~
deeteecee
do you plan to put the graph into the source anytime soon? i was curious at
looking through the code.

~~~
Conlectus
I just added the graph to the source.

------
jostmey
It was eerily accurate on me.

1\. science 2\. technology 3\. programming

~~~
laurent123456
They could do the same game, but hard-code the results, and be right for 95%
of the audience here :)

~~~
nikatwork
Hmm, I was: 1. technology 2. programming 3. history 4. politics 5. design 6.
architecture

And it was dead-right.

~~~
udayadds
same for me, though I barely read anything on history or politics

------
joosters
In Firefox, you can go to about:config and set
layout.css_visited_links_enabled to 'false'. This page, and others that hack
the visited links styles, will no longer work.

~~~
joshvm
Note that in Firefox only a few visual hacks will work nowadays. This means
that sites can still change the local style of visited links to fit in with
their colour schemes. BUT, you can't trawl someone's history by exploiting
:visited any more.

And also note that this will remove all :visited styling, included the usual
blue->purple. Just a heads up for people changing this variable because they
think their privacy is being invaded.

[https://hacks.mozilla.org/2010/03/privacy-related-changes-
co...](https://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-
css-vistited/)

------
balls187
I thought the a:visited exploit was addressed.

~~~
neoveller
I spent an unfortunate chunk of time trying to auto-click all the red square
via jquery in chrome console. After a lot of reading and experimenting, I can
verify that the exploit is thoroughly addressed (so far), and I cannot achieve
my goal because of it :(.

The most promising workaround would be to find a JS screenshot tool that
doesn't rely on the DOM, and then run some client-side image analysis to get
the index values of the red squares, and then go from there to click the
things. Well played, exploit fixers, well played.

~~~
Geee
You could access the webcam and zoom/enhance the reflection in the eyes to get
the screenshot.

~~~
neoveller
Think I just found a way using canvas with a semi transparent element inside
of it, then overlaying that on each square, grabbing the computed/resulting
color of the canvas to decipher which block is what. S O O N

~~~
path411
I tried doing this:

[http://jsfiddle.net/path411/sRkWq/](http://jsfiddle.net/path411/sRkWq/)

It appears as though Chrome (37-dev) will not receive any data from behind the
canvas, while IE11 and FF(29) will allow me to see pixels behind the canvas,
but only see the unvisited color.

I don't believe there is another method to receive the color of a pixel from a
canvas except through getImageData(), but I could be wrong.

------
zatkin
What's more interesting is that someone spun off Geocities and called it
Neocities.

~~~
yayitswei
Here's the original discussion on HN:
[https://news.ycombinator.com/item?id=5957850](https://news.ycombinator.com/item?id=5957850)

------
KoalaOnesie
I swear to god I only clicked one link to Salon and I didn't even mean it.
STOP JUDGING ME

------
gamerDude
Hahaha. I was giving it the benefit of the doubt before viewing source, and so
I was wondering what happens when I push gray instead of red. :P That is
probably why I got some weird interests in my results.

------
stargazer-3
On my second try, determined to find out how it works, I drew a random smiley
shape in grey box area. Painting was added to the list! Was so disappointed to
find out it was a coincidence.

------
Conlectus
Once again, creator here.

I just pushed an update that added more topics and graphs. I have had reported
problems after the update. Can anyone confirm?

------
oneeyedpigeon
From the number of squares, I thought it might end up doing something even
more 'clever' i.e. generate a square for each of the most recent n URLs from
feeds of m _news_ sites, then analyse, for example, words in headlines of
those articles to determine what I'm interested in. Lots of potential for data
analysis once you have someone's browser history.

------
Fa773NM0nK
I was in Fx Private Browsing. I spent about fifteen minutes trying to figure
out why I had no red square!

------
ben0x539
Doesn't work for me because I disabled :visited last time this sort of thing
got discussed. :V

------
Gracana
This is really clever. One interesting use for this would be to target ads at
people who visit certain sites, or to customize your site's landing page to
direct visitors toward areas they might be interested in.

------
milankragujevic
I made an automated version, check it out here:
[http://projects.milankragujevic.com/jspy/](http://projects.milankragujevic.com/jspy/)

------
Gonzih
I remember few years ago this concept was demonstrated as an way to get user
website history from the browser. This is big privacy hole. And sadly nothing
changed. Which is sad.

~~~
pgl
In a way it is, but only really through tricks like this one. Browsers can no
longer access the properties of :visited, but they can affect how visited
links are displayed.

------
infused
I get the same three red boxes in Chrome every time, and none in Firefox or
Safari. I get three categories at the end, with no links or anything. What am
I doing wrong?

~~~
hngiszmo
It shows you squares for a bunch of websites. Those you visited before in that
browser are red. By clicking them, you tell the site that they are red, thus
that you visited them. Each site belongs to a category and thus it comes to
its conclusion.

------
homakov
There are much more effective tricks to use in production. You can leak user's
FB token for some huge client, and you get his email/name/bio.

------
cvburgess
This was exactly backwards for me... maybe I read it upside down? I jest, but
the concept is cool, just needs to be refined I'm sure.

------
tjoff
Should explain itself better. All I get is a bunch of grey boxes (no red ones)
and if I click done I get "Your interests are:"

~~~
Conlectus
Thanks for the suggestion! I made it so that it explains itself if you don't
click any red boxes.

------
homakov
Oh also it's easy to check if you're logged in on Service1 using CSP. No user
interaction, same results

------
corford
No red squares here. Am I doing it wrong?

~~~
mjfl
I don't have any either. I think it's because I've turned off internet history
on Firefox.

~~~
mbrutsch
Yep. I took me a few minutes to figure out why it wasn't working for me...

------
arkj
Maybe this link just saved my life!!! The clue for the clueless is in their
forgotten yesterday.

------
addisaden
the trick with a:visited is really awesome :D

see on github:
[https://github.com/Conlectus/WhoAmI/blob/master/css/main.css](https://github.com/Conlectus/WhoAmI/blob/master/css/main.css)

------
asadlionpk
Improvement: You can make the gray boxes light enough (same as bg) so only Red
are visible.

------
enscr
It's a shame I had only 4 red blocks. I should diversify :)

Fun experiment !

------
GUNHED_158
Some people are just too genius or protective of their privacy to enjoy this!
:)

------
oakaz
Results are good except that I have no gaming sites in my history actually

------
udayadds
Can we use this for filtering hacker news articles?

------
dalek2point3
can someone post a screenshot of what happens once you click all the red
boxes? I have too many of them and dont want to do it ...

------
maerF0x0
Haha, should have been pr0n sites :P

------
melipone
How are the categories obtained?

------
lurkinggrue
It didn't work for me.

------
oeN
funny, perfect result!! and the concept is so simple, well done!

------
rburhum
Nothing was red for me

~~~
borkabrak
You cleared your browser history recently?

------
periferral
I am <blank>???

------
mundanevoice
Wao, reading my browser history while I am playing a stupid game. Elegant. :)

~~~
Stratoscope
Not quite. See discussion above. You _gave_ it your history by clicking the
red dots and not clicking the others.

------
Daggett
This is pure genius.

------
aps-sids
I had opened link in Private (incognito) window. #fail

------
closetnerd
Hmm, clever.

------
iopq
piratebay is not movies

------
zenjzen
nice.

------
aligajani
I just read the source code, uses caches.

------
zongitsrinzler
This can be done without any user interaction (and most likely has done to you
without you knowing it). Check this link for 101:
[https://stackoverflow.com/questions/1584850/is-it-
possible-t...](https://stackoverflow.com/questions/1584850/is-it-possible-to-
get-anchor-visited-state-from-javascript)

~~~
fzaninotto
Here is a white paper of another exploit without user interaction, which is
still working on most browsers. It's called "Pixel-perfect timing attack".

[https://media.blackhat.com/us-13/US-13-Stone-Pixel-
Perfect-T...](https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-
Timing-Attacks-with-HTML5-WP.pdf)

The related bug on the Chrome tracker was closed with a "won't fix".

