

Epic Marketplace caught stealing history by Stanford Security Lab - mikeleeorg
http://cyberlaw.stanford.edu/node/6695

======
gallamine
For those that were confused by the title (like me), here's the TL;DR:

Online advertiser, Epic Marketplace, is using a very sophisticated javascript
script to do "history stealing", where they iterate through thousands of URLs
to determine if a user has visited them. With this data, they can serve highly
targeted ads. It's highly shady at best, and illegal at worst.

~~~
juiceandjuice
Very sophisticated is almost an understatement.

~~~
AdamTReineke
Not really. The Javascript loads an array of links to check against, builds a
1x1 pixel iframe, puts all the links in there (with styles applied to hide
visited links), then it checks to see which links disappeared.

Browsers are securing against this by limiting styles that can be applied to
the :visited pseudoclass to just color, then it serves back the default color
if a script ever tries to check.

------
jrockway
How come it's illegal for aaronsw to steal thousands of documents from a
document repository, but it's not illegal for advertiser to steal thousands of
history entries from my browser? If anything, this sounds significantly more
illegal: code that I don't want to run is injected into my browser, and then
it steals personal information that I make an effort to keep secret. If this
isn't unauthorized access to a protected computer system, what is?

------
ohashi
Interesting to see how they've used it. I remember seeing a proof of concept a
while back checking the most popular sites against your browser history and
pointing this flaw out. Now it will be interesting to see the repercussions of
actually abusing this.

------
maukdaddy

      The script sets a cookie indicating when it was last run;
      it will not history steal more than once every twenty-four hours.
    

Wow. Pretty kind for an otherwise evil script!

------
andrewcooke
so what would block this?

noscript would, but (imho) it's too intrusive.

would adblockplus have blocked it? what about ghostery, disconnect, et al?

~~~
wmf
The browsers are fixing this; no plugins should be needed.

~~~
redthrowaway
Is there actually a legitimate use for 0x0 iFrames that can't be easily
replicated some other way? Why do we allow them?

~~~
ohashi
Where do you draw the line? 0x0 doesn't work. Let's use 1x1 and blend it in
somewhere. 10x10? Probably can find a square somewhere to hide it. Or a long
rectangle at the bottom perhaps with a solid color. I don't see blocking 0x0
as a real solution to the problem.

~~~
ruethewhirled
Same problem with setting the position off screen or 0% opacity. There is a
lot of ways to hide an iframe

