

Show HN: Tricking the user to access history using CSS and captchas - frantzmiccoli
http://frantzmiccoli.github.io/visited-captcha-history/

======
NathanKP
Very nice concept. You should also add the following CSS to the captcha
letters:

    
    
         -webkit-touch-callout: none; -webkit-user-select: none; -khtml-user-select: none;
         -moz-user-select: none; -ms-user-select: none; user-select: none; 
    

This will make it feel even more like a real captcha by making it impossible
to select the text. (Right now you can select it to see the invisible letters)

~~~
frantzmiccoli
Done, thanks for the hint ;)

~~~
mzs
I can still select text with mouse in ff 24.5 esr - but still very clever
trick!

~~~
frantzmiccoli
I didn't applied the style to the right element... My bad!

~~~
mzs
Works now, but you might want to block pointer events too, for example I can
drag with the mouse from the captcha into the text area below to get a URL.

------
jere
Quite scarier than the TinSnail demo, but it must have a much lower bandwidth.
The source only has three links and you will probably see all three if you
have caching turned on. I guess if you're looking for one or two specific
sites, it doesn't matter.

------
cissou
Brilliant. getComputedStyle used to give away the color of a link, so at some
time this attack was trivial: you didn't need any user input, as a blue link
meant :unvisited, and a purple one meant :visited. Replacing getComputedStyle
with user input ("is this letter black or transparent?") is definitely
brilliant.

~~~
aaronm67
There was a pretty interesting talk about using differences in style render
time to get history.

[https://www.youtube.com/watch?v=KcOQfYlyIqw](https://www.youtube.com/watch?v=KcOQfYlyIqw)

It's pretty interesting, and can be done in a way that doesn't require any
user input.

------
linshunghuang
You might want to check out the research paper "I Still Know What You Visited
Last Summer Leaking browsing history via user interaction and side channel
attacks" ( [http://www.ieee-
security.org/TC/SP2011/PAPERS/2011/paper010....](http://www.ieee-
security.org/TC/SP2011/PAPERS/2011/paper010.pdf) ). The paper describes
several similar (if not the same) attacks.

~~~
kedean
Another interesting, more recent paper (I couldn't find a link to the actual
pdf, but I'm sure people are resourceful):

[http://dl.acm.org/citation.cfm?id=2516712](http://dl.acm.org/citation.cfm?id=2516712)

This one describes an attack to not only steal browser history, but to
reconstruct pages from the users cache.

------
mikelat
That's impressive.

Honestly modern browsers should just start ignoring off-domain :visted styles.

~~~
spb
That would break aggregator sites like HN and Reddit (although really they
should really be maintaining the visit history themselves, as they do with
Reddit Gold users).

~~~
endianswap
I tried to use the history tracking that comes with Reddit Gold for about a
week and it was virtually useless. After browsing on my phone and two
computers only like 1 in 10 of the links would correctly show up as purple on
the other devices (even just PC to PC it didn't work).

Edit: I should mention I bought Reddit Gold just for this feature, so I was
optimistic that it'd work.

~~~
tokenizerrr
As an alternative, you can set reddit to hide links that you have voted upon
which does not require a reddit gold account.

------
ultimatedelman
What am I missing? I just got this pre-determined list of links:
[https://github.com/frantzmiccoli/visited-captcha-
history/blo...](https://github.com/frantzmiccoli/visited-captcha-
history/blob/master/js/linkslist.js)

I was impressed when this list came up, but suspicious because I hadn't
visited reddit or github yet today.

~~~
gkoberger
It's site's you've visited at any time in the past (since the cache was
cleared). Anything that would normally show up as purple rather than blue on
regular websites.

------
CheckHook
Interesting but this method is limited to the URLs that you list in the
javascript (in this case linklist.js). More of a specific validation to see if
the user has visited the links you provide rather than a total data scrape.

To full scrape the users history you would have to list every URL in
existence.

Great proof of concept though.

~~~
jengamaster
Would have been a greater one if linklist.js contained links to more sites
than Github, Reddit and Hackernews... I mean I could have guessed those by
assuming that I visited that page via Hackernews.

~~~
frantzmiccoli
My point was to actually show something to the testers, I reduced the scope on
purpose.

------
nej
Clever

------
dang
The submitted title was "Show HN: Tricking the user to access his history
using CSS and captchas". We finessed the pronoun issue in this case by just
taking "his" out.

~~~
frantzmiccoli
I'm impressed by the number of comments this can raise. Your solution seems
like a good one, if only I could edit the title.

------
thinkbohemian
s/his/their

Unless of course there is something on this service that actually limits all
of your users into being one gender :)

~~~
aroch
The "male" pronoun's use is grammatically correct when the gender of the
subject is unknown.

Take your SJW puffery to Tumblr.

~~~
cfqycwz
It is true that the use of male pronouns in gender-neutral context has
historically been considered correct and is still considered correct by many.
It is, however, generally discouraged because it only serves to reinforce the
very real and problematic implication of male as the "default" sex.

~~~
okasaki
Discouraged by whom?

~~~
hyperpape
It's a fairly common prescription in style guides, though it is still debated:
try Googling "style guides gender neutral language" for instance.

