Ok. Since I couldn't access the site, I didn't even know what it was supposed to be doing... other than 'an old and well-known trick' and something to do with browser history.
Unfortunately, this is just really old news and really lame. Man, I hate using the word lame. Its not an "attack". Its simply taking advantage of a feature built into all browsers since like 2000 or before.
The information on that site is a bit misleading. How would they figure out your name? Or who your friends were?
They would have to already know your name to search for URLs then that would contain your name. That is a lot of work to be doing in a browser. And if you have a common name, then whoptido. So what?
You can only use this technique against a set of URLs, you can't determine URLs unless you already know what to check against. At that, you would have to know the exact URL to check against.
"This site normally works even when JavaScript is disabled, but we temporarily switched off that functionality for performance reasons. Please come back in a couple of hours."
31 comments
[ 2.2 ms ] story [ 88.2 ms ] threadI keep up with most tech-related news as well as I can and I had never heard of it until now...
I'd be interested to see how many people actually have heard about it before.
Most people aren't aware of this.
Hopefully it was a success for you!
1. Using JavaScript to get the rendered style, and thus work out whether you've visited a particular URL, or
2. Setting background images on links which only apply when visited, and checking whether your browser retrieved those images.
It's a rather old and well-known trick.
I was unaware of that particular attack, though now that I've read about it, it makes perfect sense.
Maybe it's time to set my work machine to not keep my browsing history (like my home machine)...
http://www.azarask.in/blog/post/socialhistoryjs/
http://news.ycombinator.com/item?id=248558
http://news.ycombinator.com/item?id=404564
http://news.ycombinator.com/item?id=617546
http://news.ycombinator.com/item?id=717802
http://thecoffeedesk.com/news/index.php/2009/08/02/view-remo...
I guess the internet thinks I'm a geek.
They would have to already know your name to search for URLs then that would contain your name. That is a lot of work to be doing in a browser. And if you have a common name, then whoptido. So what?
You can only use this technique against a set of URLs, you can't determine URLs unless you already know what to check against. At that, you would have to know the exact URL to check against.
Riiight.