Hacker News new | past | comments | ask | show | jobs | submit login
Retrieving your browsing history through a CAPTCHA (varun.ch)
405 points by varun_ch on March 6, 2022 | hide | past | favorite | 56 comments



I believe this is not a new concept. However, I applaud the accessibility, style and implementation of the proof-of-concept, given that the author seems to be only 15!

Also sidenote: I like the creative and subtle plug for the author's 'Quickz' project (seems to be a Kahoot alternative - I have never heard of either) in the "not visited category".

Keep up the good work!


Thank you! :)


I rarely see websites that actually make use of `:visited` style as intended, it would be good if browsers had an option to just disable it and prevent this class of leaks completely.


I like :visited. It’s useful. I don’t want browsers to disable it, but developers to stop clobbering and disabling it on their sites.

Any site I make will have sane blue underlined links and purple underlined visited links. I’m willing to vary the shades of blue and purple, and I prefer to reduce the opacity of the underline when not interacting with the link, but I say general links should be blue and purple and underlined, and anything else is troublemaking.

(In https://github.com/w3c/csswg-drafts/issues/3012, there’s talk of changing :visited to essentially work from the site’s perspective—exposing only history that the site could have tracked itself—rather than for the user as global visitedness does. This makes me sad, though I quite understand the perspective; to me, :visited has always been about the user, even though such first-party link following is its primary use.)


The think you like is client link styling, not :visited attribute manipulated via CSS/JS.


Not sure what you mean. Under that proposal :visited wouldn't be available for styling or scripting except for links the site could already know that you visited.


The site we are on right now uses visited links in a different style (although annoyingly subtle). I find this feature incredibly valuable.

I would've be opposed to a feature to disable it but I certainly wouldn't use it. I can imagine that Tor may want to enable it by default though.

Edit: Apparently Firefox has this feature and Tor does use it.


> I rarely see websites that actually make use of `:visited` style as intended

Some well-known websites do it, such as Google and Wikipedia.


The only time I ever see a visited style link is when links aren't styled at all. It's anachronistic and the feature should probably be dropped altogether. If some users want to see it, it could be done with an extension that has history access (or a coarse-grained version of history). Then they'd be able to see it for all sites, not just the tiny fraction of sites that don't style links.


Counterpoint, plenty of sites I use properly show visited links, and it's a very useful feature!


Maybe I don't notice it enough, but I suspect the vast majority of those are only doing it because they haven't changed the style.

I find it useful too, but since most sites don't actually show it, I'd rather just use an extension that always shows it.


Wikipedia for example

Edit: oh, and Hackernews, too


This is clearly not true as you are currently posting on a site that has styled links and also has lighter styled visited links.


Lol true it's not 100% accurate. HN is still in a small niche of sites when it comes to web design.


what about google then ;)


The last sentence of the article claims you do have that option, but I can't find it?

I can see an option to always overridde the color with my choice.


Looks like Firefox has it in their advanced settings under "layout.css.visited_links_enabled", but on Chrome (or other Chromium based browsers) you have to clear history regularly, or use incognito mode.


For Firefox at least, toggling layout.css.visited_links_enabled should fix this.

An earlier article about the visited CSS issue:

https://dbaron.org/mozilla/visited-privacy


The answer to having both visited styles and not security violations is to allow a domain to only style links that are local to that domain and not others.

They already do that with referers, there is a security level to only let the site see referers that are local to its domain. I think this is the default for https


Couldn't you reimplement cross-site cookies with that?


I was wondering why this wasn't working for me. Looking through my settings in Firefox, I finally narrowed it down to Privacy and Security -> History. I have it set to "use custom settings" (clear history on exit, everything else unchecked), but presumably "never remember history" would also work.


Oh nice, I always have trouble making realistic clickjaking demos. This is just perfect. Previously I put stuff like a play button on a funny video, and for a second click the skip button on an ad. This stuff is golden, you can get a nearly infinite amount of clicks out of it.


On macOS Monterey 12.2.1

  - Fails on Safari 15.3
  - Works on Google Chrome 99.0.4844.51


I remember seeing the same concept applied to something else and a demo here on HN many years ago. This implementation however is novel, and feels more 'exploitable'. Good idea/nice find!


Sly and clever, but the demo's not working.

That's all I see - https://i.imgur.com/zl1iv6O.png

Recent Firefox + uBlock.


Do you have JavaScript disabled?


No, not blocked. Nothing on the console too except that the loading of "plausible.js" was blocked.

PS. Played with it a bit and .box divs are zero-height. You need to have some content in <a> tags for them to not collapse vertically. This fixes it (somewhat) -

  document.querySelectorAll('.box a').forEach(e => e.innerHTML = '&nbsp;')
PPS. Also this .box rule is marked with "invalid property name" -

  aspect-ratio: 1/1


Thanks. I can't reproduce the issue on Chrome or Firefox (98), but I've just pushed an update that changes "aspect-ratio: 1/1", to "aspect-ratio: 1 / 1". Perhaps I needed those spaces.

Let me know if that solves it. :)

Edit: Looks like Firefox only got support for aspect-ratio in version 89, is your browser up to date?


I am on 88 and planning to stay on it for a while. Mozilla got way off track recently with their pointless UI changes and, more troubling, business "collaborations", so a conservative approach to updating is well-warranted.


Doesn't work on Firefox iOS, even with enhanced tracking protection disabled. It only shows this single domain varun.ch.

It does work on Firefox desktop.


Are there any extensions that protect from this?


Basically the only defense is an extension that prevents styling for a visited link. But on the plus side to use this exploit you either need to be very specific about what sites you check or have the user clicking lots of links…


I use Firefox Focus. It deletes your history each time you close the app. I find I never need my history, so I’m happy to have it deleted regularly. Others seem to use their history and tabs, so YMMV.


Tor Browser is not vulnerable.

I don't think you can defend against this by adding CSS rules, only removing them. Extensions would need to parse the entire CSS of a website and replace it, which would be cumbersome.


[flagged]


What is going on with those new accounts preaching against online privacy recently?

Edit: For the lurkers trying to educate themselves, I recommend those resources:

https://en.wikipedia.org/wiki/Nothing_to_hide_argument

https://en.wikipedia.org/wiki/Citizenfour

https://vimeo.com/nothingtohide


>What is going on with those new accounts preaching against online privacy recently?

From my experience (as I prefer freedom of information) if you are against privacy you tend to get downvoted. I think downvotes can lead to your account being rate limited which is annoying so it makes sense that people would want to use another account.


Perhaps you're spotting recent reddit transplants who don't yet get HN's unique dislike of sarcasm and shallowly dismissive jokes?


I don't think the new account was actually arguing against privacy (those words have basically become a strawman now); rather it was just a bit of dry humour.


I just reread the comment and maybe you are right. I don't know if he edited the comment or if I misread when I wrote my reply, but I didn't see the word "goes". So I read "I believe the argument [...]".


Cool but this has been around since forever


This is a terrible PI leak ...

JS should really be disabled by default and only be enabled on sites that really need it and you somewhat trust.


It does not require js to work. In essense, it uses css styles to exploit visited links.


I had to enable js for it to work in firefox


Also, lying the visited state on JS was implemented as early as Firefox 4 - so it is definitely not a JS-dependent "exploit" (rather, it's a rather oblique way of social engineering).


But dont you need js to check for the styles to see if the link is visited?


No, each square the user clicks could be a checkbox that is submitted to the backend as a form when they click done.


It could even just use CSS selectors to reveal an image or change a background image that results in a request to the backend.


Fortunately most browsers already have some measures to prevent that (https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and...), the demo avoids automating the process altogether, and relies on tricking the visitor into 'voluntarily' telling if they've visited a site.


I meant you can use CSS on the checkbox once it is checked, there is no need to actually submit a form. I understand that you can't use CSS directly on the :visited selector.


Ah I see, that makes sense.


You need js to extract the PI though?


JS or user submitting a form -- some form of client interaction.


You can do requests to the site using pure CSS as well, using something like `.site:visited { background-image: url(/logging/site); }`


those kind of tricks are already blocked by browsers, as the article explains


This one does not really need JS, the captcha could be done with an HTML form and checkboxes.


captchas which are not working with noscript/basic (x)html browsers are definitive no-no anyway.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: