97 comments

[ 12.1 ms ] story [ 210 ms ] thread
It only got 4 out of 15 correct for me.
Nope. Only got 1 right.

Best of luck, it's an interesting concept!

It's kind of comforting to see the fails here...
Doesn't appear to guess correctly in Chrome 15 on OS X (10.7.2). I'm not sure exactly what the 'whoops' means for google - but I've obviously visited HN and have visited a few of the others as well.

Screenshot: http://cl.ly/1i0921270W2b1u190b0W

I think it got 100% for me, on Safari/Mac.

Note that it doesn't need to be 100% accurate to be effective. If it guesses better than 50% (i.e. coin flip), then it could be used to give guesses with at least some confidence. No different than analyzing any other noisy dataset. Because this all works client-side, it can also be done quite invisibly.

there is already way better and reliable methods to accomplish same goal. e.g

http://ajaxian.com/archives/spyjax-using-avisited-to-test-yo...

(comment deleted)
Right, but those applications will be for things like online advertising, which is already tracking your visits and/or just assuming you use the popular sites anyway. Can this be used to violate privacy in a meaningful manner if it misses 50% or more of the time? You'd have complete plausible deniability if you were pinned to have accessed some site you don't want people to know you accessed. It can't be used as evidence in anything. What would the threat look like?
I oppose user tracking not necessarily because there's something to hide, but because a sense privacy is a fundamental component of a sense of independence, and for me, independence is one of the critical components of happiness.
It would have to guess better than anonymous modelling, not 50%. I'd happily bet even odds layout that each of my site visitors visit Google.
If the question is "Has this user visited site X?" then I'd hope that any kind of modelling is better than 50%, as simulating a coin toss would be at least as good.
With the exception of Facebook (which I visited this morning), the results were accurate (Amazon, reddit, linkedin, wikipedia, youtube). Spoooky!
I got extremely inconsistent answers on multiple runs.
(comment deleted)
Indeed, as the second time you run it, you have visited all those sites, and some of those images are in the cache.

The first time, I had one 'visited', the second time about half were 'visited'. I'm surprised not all of them were, though...

More accurate but a couple of false positives.

Chromium on Linux

only got HN for me, using Chrome 15 on OSX.
Not even close, while all the sites it said I visited, I had, it missed tons of other sites I'd visited.
Same here. There were 3 correct positives listed, and I had about 7 or 8 false negatives.
Same here, although I visited multiple sites listed in the very same session on the browser I have open, the tool only reported one as visited, and Google as a Whoops. It should have reported at least 6 more!
It said I have not visited any of them, except google (there it just says "whoops", I'm not sure if that is a hit or not).
Yup, got the same. Then rerunning it said I'd visited almost all of the sites.
You'd expect that, as it works by loading an image from each of those sites.

So your cache will end up with images from each of those sites.

I get what you're saying, but if the technique really worked, I'd expect it to have told me the sites I frequently visit on the first run and a 100% score on the second run, but it was only like 80% of that.
Same here. Zero false positives, but several false negative results.
same here. funny thing is that all correct matches were for sites actually opened in another tab and it even missen facebook which was also open in some tab.
Same here, it failed to catch Google and I am there almost daily. (Mostly for the doodles.)
(comment deleted)
From the 5 sites I visited, it correctly flagged HN, WP and YT as visited, and gave a "whoops" for FB and Google (what does that mean?), which I both visited.
Not even close, too. Instead of measuring load time, you can create "<a>" elements verify their rendered color is the color you defined for visited links. It's a trick of old times...
a trick that all modern browsers have fixed
hmm. I thought it's impossible to block that solution since a coder should be able to get the computed value of a style property. I'll try it soon.
Really interesting concept. This one wasn't as accurate for me as the original Firefox-specifc proof of concept, though. It only picked up on YouTube and Wikipedia. What's with the "whoops" on Google?

I do use NoScript and Ghostery, though, and I could see how that might cause some false negatives.

The results are not consistent. Each time I click the button it keeps changing and also lists the wrong sites.
A second try gives me a 'visited' result on almost every page (except techbuy).

The first try was pretty correct though.

Mostly right for me except it didn't know I visited twitter and facebook (both tabs are open right now).

That's probably due to me blocking facebook and twitter widgets on sites other than Fb and twitter though.

The other one worked fine on iOS. Yours failed all tests.
What would be a possible use of this attack? I can't think of anything useful you'd do with knowing that you've visited Facebook. And so many people use sites like Facebook you might get a better success rate just always returning "visited" rather than measuring this way!
If a malicious website can tell which banking websites you have visited, it can show a phishing page that looks just like your bank.
Maybe you could use it to only show those social sharing widgets that are for services the visitor actually uses. Though I guess WebIntents will eventually be a better way to handle that.
Ad retargeting without going through one of the high-reach ad networks. Or any product site instantly knowing which competitors you've researched, and tailoring their pricing to that.
Got three - one false positive. Firefox on linux
Apparently the key to people not knowing where you visited is to use IE. It missed sites like Twitter and Facebook that are open for me all the time. It did get one site correct, HN ;<).
It guessed HN correctly for me the first time, but on the second run it said I hadn't visited any of the sites, including HN. Perhaps a bug..
Didn't work on Opera on Linux (said I never visited any of those sites)
Missed about 75% for me.
try running it again. it will say you visited them all !

script FAIL !

Did not work at all for me. The other one had slightly better results. Win 7 on most recent FF.
Fails for me on Safari 5.1.2 / OS X. It got 1 site right, 1 site wrong, the rest being "not visited".