History stealing 2.0 - I know where you live
Tests with around 270,000 web users found that 76% were vulnerable to history stealing. They detected visits to an average of 62 pages from the most popular websites. The developers went to some lengths in compiling their list. They first added the addresses of more than 6,000 popular websites, news sites, adult sites, social networks and Wikileaks. Using these links, they crawled the sites for sub-pages, forms and images. For news sites, they also added recent RSS feeds for checking links.
They then added links to websites on which users frequently enter their postcode, such as weather sites. By testing a range of locations, they were able to detect postcodes in 9% of their tests – though these could of course have been postcodes for users' upcoming weekend breaks. Using the same technique, they tested a list of 10,000 words and phrases to see if they had been entered into Google or Bing.
The complete document is available online: "Feasibility and Real-World Implications of Web Browser History Detection"
- Indiscrete web browsers assist de-anonymisation, a report from The H.
- Attackers able to read out list of visited web pages, a report from The H.