20 comments

[ 4.0 ms ] story [ 46.1 ms ] thread
Scary stuff, good thing i always clear my history...
This is all very cute, but the real exploit isn't embarrassing your friends and co-workers by revealing their kinks. Imagine a phishing site which could sniff your browser history to see which bank you use, and then provide a customized login form masquerading as that same site.

Exposing browsing history via CSS color information in the DOM is a serious security hope that should be closed by browser vendors.

This is really old news. Here's an HN link discussing someone's batshit crazy startup idea based on it:

http://news.ycombinator.com/item?id=404564

It's definitely a useful trick for only showing certain content to certain users. For example, I wrote a script so you only show Digg buttons to visitors that have been to digg.com: http://int2e.com/blog/improved-digg-integration-script/
You don't even need Javascript.

    <a class="digg" href="http://digg.com/submit/">...digg button code...</a>
Now you can use CSS to hide visited links.

    a.digg:visited { display: none; }
This is so old it’s even mentioned in the spec as something a browser can choose to avoid:

http://www.w3.org/TR/CSS21/selector.html#link-pseudo-classes

Note. It is possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user's consent.

UAs may therefore treat all links as unvisited links, or implement other measures to preserve the user's privacy while rendering visited and unvisited links differently. See [P3P] for more information about handling privacy.

Yet another reason to use NoScript.

... why would I be down-voted for mentioning a solution which prevents 100% of JavaScript history attacks???

It's not really relevant to anything. I could say it's another reason to go back to using BBS's instead of the WWW, but that's not really a useful observation is it.
I don't think disabling JS by default is equivalent to going back to BBSes. IMO it's how JS and other client-side scripting technologies should have been implemented from the very beginning, on an opt-in basis with the onus on the site developer to convince users that it's worthwhile to enable the feature for their site.
That would be a terrible user experience.

At one time browsers didn't display images by default eiter. It was horrible.

But that's not what noscript does; it allows you to whitelist known-good scripts, and only run those. So when you go goodsite.com, you can see the cool javascript animations, but when you browse to steals-your-history.com, your history won't be stolen.

Sure, goodsite.com can choose to spy on you... but that is less likely than some other random site being the bad one.

"... but when you browse to steals-your-history.com, your history won't be stolen."

Ah, but you won't know if your history's being stolen, right? The exploit can be hidden from the user's eyes, hidden in an ad, for example, that the site you trust shows you without realizing that ad is hacking your history. Phishing sites, too, of course.

A big problem caused by this elegant hack is that it uses services web users can't easily do without, services that most browser users don't know about (and, ideally, shouldn't need to understand). I guess you're suggesting that a user must be more wary of websites, avoiding unknown ones. Is that what you're suggesting?

It'll be interesting to see what can be tried to remedy the privacy issues caused by this.

I use NoScript too, but you can do it in pure CSS and Noscript won't block it: just set a:visited for the link you're interested in to use a certain background image, which will only hit your server if the link is actually visited.
Some time ago I wrote this:

http://antirez.com/page/cachetest.html

AFAIK the bug I shown is not currently fixed. The idea is to perform a request for an image in the target site (usually the logo), meter how many milliseconds it takes, if it takes very little (near to zero) you already visited the site. If the latency is instead in the normal range you didn't. See the article for more info.

I don't know if I've seen any privacy exploit that (1) compromises this much personal data, and (2) is as easy to execute. Can anyone think of one?
(comment deleted)