Attackers able to read out list of visited web pages
"I know which web sites you visited last summer." Whilst it is not possible to determine the exact time of a visit, a web site may use a browser's history to find out if a certain site has been launched in the past. This could, for instance, help phishers to determine the bank of a potential victim or allow internet vendors to find out which competitive sites a user has visited.
The problem has to do with the way browsers store information on the usage of links. Visited links are displayed in a different colour than links that have not been activated. Such changes in colour are based on stylesheet settings for the respective HTML document and are stored by the browser as attributes in the history. Some months ago, security specialist Jeremiah Grossman published a sample program which can be used to exploit this behaviour.
Grossman built a JavaScript with quite a long list of potential web sites; when launching the sites, he tested the colour scheme in the stylesheet, which provided information on which sites had been visited. While this does not mean that the history is actually read out, a list of sufficient length makes it possible to test key sites.
At present, the program only works with Mozilla derivatives (Firefox, Netscape etc.) and Safari. An online demo to test one's own history is available on ha.ckers.org. The only way to avoid this special kind of attack is to disable JavaScript.
However, there is also a way to sniff out the browser history without JavaScript; the first people to present this method have been researchers from the University of Indiana. An attacker may use stylesheet properties to reload different background images, depending on whether the site was visited in the past or not. Manipulated HTML pages allow attackers to track the history without any script just by monitoring if the page reloads images. Since yesterday, a demo has been available on ha.ckers.org, implemented by RSnake; it works with Firefox and also Internet Explorer 7 and Opera 9.10. The plug-in SafeHistory provided by Stanford University provides protection against such visited-link-based tracking techniques.
- Steal Browser History Without JavaScript, article by RSnake
- CSS History Hack Without JavaScript, online demo
- Guessing Your Bank, article by Markus Jakobsson Sid Stamm, University of Indiana
- I know where you've been, article by Jeremiah Grossman
- CSS History Hack, online demo
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
