Author Topic: Sniffing Browser History with NO Javascript and what to do about it....  (Read 2860 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi malware fighters,

Sniffing Browser History with NO Javascript, slow but can be performed, no sweat, a privacy hole!

How this privacy-leakage is performed is rather very simple. The only thing a website needs to do is loading a hidden iframe with many, many links. Whenever a link has been visited before, a background pre-defined inside the CSS is loaded. This "background" will log the information and will save it accordingly. This page shows the attack as it evolves: http://www.making-the-web.com/misc/sites-you-visit/nojs/

But it can also be done on a "normal" page using view-state.

Edit:webdeveloper does not offer a possibility to globally set n overruling css, the Firefox plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make up the following (global) style:

Code: [Select]
   Select all
    a:visited{
    background: none !important;
    background-image: none !important;
    list-style-image: none !important;
    }

O.K. that will work, but there is yet another way to block this with an extension, named: RefControl. There you can set globally and on a per site basis what the referring header should be. This could be for instance enforce root of the site (block third party- etc.), so for example htxp://www.asIlike_tosee it. com/ and it that will hamper functionality sometimes the real referrer.

There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore, so there are more ways to get the required result, block sniffing browser history in this way,

It is a pity that we have to be educated about all the possibilities (like some here on the forums) to be protected against these issues, that's why I bring it to your attention,

polonus
« Last Edit: June 16, 2009, 12:36:57 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi malware fighters,

And so on now to the real facts as we have them from the NoScript developer, Giorgio Maone, and debunking all the assumptions above. Why no one has commented my wrong exposé in the former posting:
    polonus's first assumption:the Fx plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make the following (global) style:

   
Code: [Select]
: Select all
        a:visited{
        background: none !important;
        background-image: none !important;
        list-style-image: none !important;
        }


    O.K. that works,


No it doesn't, for instance:

Code: [Select]
Select all
    #playboy:visited span { bakground-image: url(/log.php?url=playboy.com) }
    #google:visited > div { list-style-image: url(/log.php?url=google.com) }

and their infinite variations.

    polonus's second assumption :but there is yet another way to block this with an extension, named: RefControl


Absolutely not. The HTTP Referer header has nothing to do with history sniffing.

    another assumption by polonus::There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore,
And quoting from Giorgio Maone:
Quote
Sorry, that's incorrect too. This trick is not related to Meta Redirects either.

    Not mentioned by me but the one and only cure

I've considered adding some protection against this "attack" three years ago, when it was "revealed" by my friend Jeremiah Grossman.
However I gave up because there was no "simple" solution as everyone who see this for the first time (or see it again after forgetting about it) seem to believe.
The only effective approach, as I said multiple times, is SafeHistory. Period.
If SafeHistory stops being actively developed (as it seems), I can consider taking over its development and/or integrate it in NoScript, but I've got to find the time: NoScript's TODO list is nearly infinite, despite some moronic slanders which some people keep spreading...

So forum folks here, we are all now fully informed,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!