

Efficient history-stealing attack to identify website-visitors - yungchin
http://33bits.org/2010/02/19/ubercookies-history-stealing-social-web/

======
randomwalker
For reference, part 1 of this series was discussed here:
<http://news.ycombinator.com/item?id=1134370>

------
fnid2
This is the worst thing to hit the web since url shorteners. Just stop it.
Wipe it from your mind. It's unethical. You are gathering information from
your visitors that you have neither asked for, nor been given permission to
retrieve.

It should be illegal. It's an invasion of privacy. Don't do it. Don't even
learn that it is possible.

~~~
whyenot
I think it's too late to put history scraping back into Pandora's box. There
are several articles on it already out there. Those who are less scrupulous
already have all the information they need.

At this point, I think the best that can be done is to make people aware of
the practice. No browser should leak history by default. It's a huge security
vulnerability, and should be regarded as such. Start putting pressure on
Mozilla, Google, MS et al to fix it.

~~~
Groxx
I just hunted around for a bit, and found a few possibilities. Now all we need
is User Javascript that can run before the site loads, in all browsers, and
we're golden :) User Javascript strikes me as more likely to be implemented
than anything specific to this problem.

<http://news.ycombinator.com/item?id=1139172>

------
Groxx
w00t. For any who are interested, Opera and Chrome have the capability of
having "user javascript" that runs _before_ the website begins loading, which
allows secure objects to prevent things like this. Nothing built-in for IE /
Safari / Firefox, from what I can tell. Greasemonkey loads after the page is
done, so it can't guarantee this sort of thing is blocked.

In Chrome (dev only, currently, and weird / lacking the ability to manage them
after install), use a "// @run-at document-start" line in your script:
[http://dev.chromium.org/developers/design-documents/user-
scr...](http://dev.chromium.org/developers/design-documents/user-scripts)

In Opera, it looks like it always runs them first:
<http://www.opera.com/browser/tutorials/userjs/>

And the important piece, something which can block this kind of probe, Caja:
<http://code.google.com/p/google-caja/>

Obviously other possibilities exist, and this will likely need tweaking, but
it's a solid start. If nothing else, it reads as a fairly simple how-to to
make your own leaner version if you just want to target this.

------
Groxx
Interesting... that's a clever way of scraping data.

Rather simple proposal for a fix: don't allow JS to read the :visited pseudo-
class. I've yet to see anything use it cleverly anyway (though I fully admit
this does not mean it cannot be used cleverly).

Personally, I'd just disable it by default / have a setting somewhere to
always return "false" to that query, and I'd like a prompt to enable it for
scripts as desired (sha-1 the js on a site, and remember permitted ones. Auto-
breaks when changed). Ideally, it'd be nice to allow / block based on current-
domain too. Prompts are a bad idea for most people, though.

Anyone know if doing this would be possible on browsers right now? I don't
know what the APIs allow.

