31 comments

[ 2.2 ms ] story [ 88.2 ms ] thread
Apparently the Internet knows nothing about me. That is ... rather surprising.
Me too. This "attack" is very old and well-known on the browser side. It doesn't work particularly well on me because I keep no history.
I had never heard of it before. I wouldn't consider myself anywhere near an expert on client-side exploits but still...

I keep up with most tech-related news as well as I can and I had never heard of it until now...

I'd be interested to see how many people actually have heard about it before.

This isn't an exploit, it is a feature of almost every modern browser.
I wasn't aware that sharing your browser history with every website that cares to check it was a 'feature'.
I think that was the point...

Most people aren't aware of this.

Hopefully it was a success for you!

Applying different style to visited links is a feature. The trick to pull the info back to server is an exploit.
Care to point to a wikipedia entry or something on this 'attack'? I can't even access the site.
I assume that it's simply setting styles on links using the ":visited" pseudo-selector, and then either:

1. Using JavaScript to get the rendered style, and thus work out whether you've visited a particular URL, or

2. Setting background images on links which only apply when visited, and checking whether your browser retrieved those images.

It's a rather old and well-known trick.

Ok. Since I couldn't access the site, I didn't even know what it was supposed to be doing... other than 'an old and well-known trick' and something to do with browser history.
Wow. That is very clever, and very, very scary.

I was unaware of that particular attack, though now that I've read about it, it makes perfect sense.

Maybe it's time to set my work machine to not keep my browsing history (like my home machine)...

Hacker News is among the 5000 most popular sites!
This site produces a HTTP 500 error for me. Would someone please provide a description of what was there?
that is what it knows about you.
Unfortunately, this is just really old news and really lame. Man, I hate using the word lame. Its not an "attack". Its simply taking advantage of a feature built into all browsers since like 2000 or before.
It is old news, but CSS history 'browsing' can be used as an attack to find authz tokens in certain URLs.
It's old and it's somewhat lame, but it is an attack. CSS and the DOM were designed not to allow this sort of information leak. They missed a spot.
The problem, of course, is how to solve this without neutering both CSS and the DOM in the process.
Maybe :visited should not apply to cross domain links.
Ubuntu, xkcd, freepatentsonline.com, bing, google, yahoo, mozilla, technorati, wordpress, winamp, posterous, and HN.

I guess the internet thinks I'm a geek.

(comment deleted)
The information on that site is a bit misleading. How would they figure out your name? Or who your friends were?

They would have to already know your name to search for URLs then that would contain your name. That is a lot of work to be doing in a browser. And if you have a common name, then whoptido. So what?

You can only use this technique against a set of URLs, you can't determine URLs unless you already know what to check against. At that, you would have to know the exact URL to check against.

"This site normally works even when JavaScript is disabled, but we temporarily switched off that functionality for performance reasons. Please come back in a couple of hours."

Riiight.

Congratulations, we did not find anything in this category in your browser history. Feel free to try our other browser history tests.
I think they mean what the Web knows about you. The Internet sure as hell doesn't know about my email habits or how much streaming I do of music.