And the only reason you have to click the red squares is to let it know which ones are red. If you try to look up the color of a square using GetComputedStyle, it always comes back gray. That was the resolution of privacy Bug 147777† (":visited support allows queries into global history").
Ah, OK, and other methods appear to produce blank images so presumably this route is purposefully locked down too. A java app or add-on would do it but they'd be a bit obvious for most users I'd think.
Heh. I clicked a few before I realized what was going on (looking at the status bar shows the link, which somewhat gives it away). You could prevent this by adding mouseover/out and onclick logic that removed the :href on hover and just colored itself red.
Basically, the website doesn't know which of the squares are red, that depends on your browser state. By clicking the red squares, you're feeding it data.
The interesting observation I made out of this is that navigating there in an incognito window prevents any links from being considered as visited. That's good to know.
Can't you just :visited { margin/pos/whatever }, then probe the dom on that or related elems to extract the juice? Or have browser vendors thought of this?
Browsers lie in the computed CSS values. Regardless of whether you have visited the link or not, the computed style that JavaScript sees is always unvested.
You could prompt the user through multiple pages of "questioning" under a similar premise of psychological analysis, or some other manipulation. This would reduce the number of buttons per page.
Not necessarily. What if the un-visited box was set to display:none? That would leave you with just the visited boxes showing.
Now make it even less obvious: create a false box with the proper :visited color. That's your bottom layer, your fallthrough if the user hasn't visited any of them. Now position all of the :visited boxes as exactly the same size and position over that bottom layer. Now, when the user clicks the button to continue, they're guaranteed to click either your fallthrough ("user has none of my sites") or one of those you are monitoring for.
The end result of all this is a page that says "Click the box to continue."
It's surprisingly hard to do. Since the allowed styling does not affect positioning in any way (you used to be able to change the font-weight, but not anymore) and the browser removes all :visited styling for client side html-image libraries such as html2canvas you need to generate a massive amount of clicks from the user or have them targeted only to visited elements such as this page does.
Obvious question - how was the list of URLs compiled? Some are really specific like YouTube channels. On the other hand there are only 15 categories and there are probably a lot of people that would not get a single match or only something very generic like Wikipedia.
The coolest way would be cold, hard natural selection from Alexa top sites, possibly with weighting placed to relevant sites at the introduction of the dataset. Perhaps I will fork.
This just solved a huge problem I've been struggling with. This is beautiful - I don't actually want to know the information I've been trying to access, but it will make the experience better for the user. I now realize I don't HAVE to know - the browser knows, and that's all that matters. I just have to teach the browser what to do.
Actually, they don't seem to diverge much. I've tried randomly clicking on grey squares on different areas and it always gave me similar results (programming, gaming, technology, engineering).
Pretty inaccurate for me. It game minimum value to books and writing, and i love them both. I just dont open enough links about them (i read the books! Not their sites!)
I knew something about it (like reading expression or something, from watching 'the mentalist'), but i did not know what it was called.
but CMIIW the technique used in the linked app is categorized as 'hot reading' right? because it somewhat gather information from our "browsing history". Somewhat same technique used by google for user 'profiling' maybe?
The hot reading is researching information on you directly which is less relevant in this case as you don't leave implicit traces of "I love reading Konan Doyle" in your researchable browser history. You may have visited some Konan Doyle sites but you can still do it for other reasons than actually liking his books so any such attempt will include a lot of guesswork.
No, it's exactly cold reading, because it tries everything and encourages and watches your reaction (with javascript) to determine which things it was throwing against the wall were relevant to you. It's an ePsychic™:)
Here's the same exploit disguised as a game, to make it less obvious that it's tricking the user into interacting with it: http://lcamtuf.coredump.cx/yahh/
Couldn't one simply make a display:none on normal links and display:block on :visited, then stack them all on top each other with position:absolute and catch mouse events from each element via JS?
180 comments
[ 3.1 ms ] story [ 251 ms ] threadAnd the only reason you have to click the red squares is to let it know which ones are red. If you try to look up the color of a square using GetComputedStyle, it always comes back gray. That was the resolution of privacy Bug 147777† (":visited support allows queries into global history").
†https://bugzilla.mozilla.org/show_bug.cgi?id=147777
Basically, the website doesn't know which of the squares are red, that depends on your browser state. By clicking the red squares, you're feeding it data.
The interesting observation I made out of this is that navigating there in an incognito window prevents any links from being considered as visited. That's good to know.
It's quite interesting to see how such a seemingly simple feature (a:visited) can completely override user privacy if not accounted for.
Can't you just :visited { margin/pos/whatever }, then probe the dom on that or related elems to extract the juice? Or have browser vendors thought of this?
I don't see any secure way to handle this besides disallowing :visited styling entirely.
That's what I think he meant.
Now make it even less obvious: create a false box with the proper :visited color. That's your bottom layer, your fallthrough if the user hasn't visited any of them. Now position all of the :visited boxes as exactly the same size and position over that bottom layer. Now, when the user clicks the button to continue, they're guaranteed to click either your fallthrough ("user has none of my sites") or one of those you are monitoring for.
The end result of all this is a page that says "Click the box to continue."
Then it would remain 'none' for the visited box too. Messing with 'display' is disabled in 'visited' to prevent this class of workarounds.
It's a good example of just how difficult browser security is.
1. science 2. technology 3. programming
And it was dead-right.
1. technology
2. movies
3. books
4. programming
5. science
6. politics
7. gaming
WHAT KIND OF SORCERY IS THIS!?
1.Technology 2.Gaming 3.Programming
I knew something about it (like reading expression or something, from watching 'the mentalist'), but i did not know what it was called.
but CMIIW the technique used in the linked app is categorized as 'hot reading' right? because it somewhat gather information from our "browsing history". Somewhat same technique used by google for user 'profiling' maybe?
just a little bit of assumption.
Documentation of the game proof-of-concept: http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashio...
Thx. for the links.
This web-app's functionality is based entirely on browser history and has nothing to do with 're-marketing cookies' or other 'markers'.
Not to mention that the parent commenter clearly understood this fact.