In association with heise online

21 May 2010, 12:48

History stealing 2.0 - I know where you live

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Espionage Logo Two developers have refined techniques for rummaging through browser histories to the extent that web sites can now find out what articles a user has recently read on news sites, their exact postcode and which search terms that have entered into search engines. The developers, Artur Janc and Lukasz Olejnik, have now refined their JavaScript code to carry out history stealing six times faster than previous methods.

History stealing makes use of the way browsers record whether users have previously clicked on a link (a simple online test is available). Previously clicked links are displayed in a different colour to links to pages which have not yet been visited. The different colours are produced by a change in the style sheet (CSS) for the HTML file, which the browser stores as an attribute in its history. JavaScript can be used to test a list of potential web sites and the style sheet's colour scheme and work out which web sites have been visited. The longer the list, the greater the chance of scoring a hit. The refined JavaScript code allows a web site to test 30,000 links per second.

There are also methods for accessing browser history which do not make use of JavaScript. These involve taking advantage of the ability to use style sheets to load different background images depending on whether or not a web site has previously been visited. An attacker can query a user's history without using JavaScript by using crafted HTML pages and observing which images the web pages load. Janc and Olejnik have also included this method, which they claim works even where JavaScript is disabled and plug-ins like NoScript are installed, in their test.

Tests with around 270,000 web users found that 76% were vulnerable to history stealing. They detected visits to an average of 62 pages from the most popular websites. The developers went to some lengths in compiling their list. They first added the addresses of more than 6,000 popular websites, news sites, adult sites, social networks and Wikileaks. Using these links, they crawled the sites for sub-pages, forms and images. For news sites, they also added recent RSS feeds for checking links.

They then added links to websites on which users frequently enter their postcode, such as weather sites. By testing a range of locations, they were able to detect postcodes in 9% of their tests – though these could of course have been postcodes for users' upcoming weekend breaks. Using the same technique, they tested a list of 10,000 words and phrases to see if they had been entered into Google or Bing.

According to Janc and Olejnik, one of the surprising results of the study is that for some tests detection rates were higher where JavaScript was disabled than where it was activated. They consider that companies should bear this in mind when contemplating browser security. One effective method of preventing history stealing is to delete the history at frequent intervals.

The complete document is available online: "Feasibility and Real-World Implications of Web Browser History DetectionPDF"

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit