Attackers able to read out list of visited web pages
"I know which web sites you visited last summer." Whilst it is not possible to determine the exact time of a visit, a web site may use a browser's history to find out if a certain site has been launched in the past. This could, for instance, help phishers to determine the bank of a potential victim or allow internet vendors to find out which competitive sites a user has visited.
The problem has to do with the way browsers store information on the usage of links. Visited links are displayed in a different colour than links that have not been activated. Such changes in colour are based on stylesheet settings for the respective HTML document and are stored by the browser as attributes in the history. Some months ago, security specialist Jeremiah Grossman published a sample program which can be used to exploit this behaviour.
- Guessing Your Bank, article by Markus Jakobsson Sid Stamm, University of Indiana
- I know where you've been, article by Jeremiah Grossman
- CSS History Hack, online demo