Thursday, December 2, 2010

CSS History Hack

The CSS History Hack  is an attack already explained by Jeremiah Grossman in 2006.  In a nutshell, it is possible to use CSS  and Javascript to know which pages has visited our 'guest' before.  How?  The web browser will change the state of the links already visited by the user.

Forbes explains that some popular sites like YouPorn are using this technique to know which other porn sites the user has visited before.

How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography.*

 The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

 The researchers who wrote the paper identifying this practice call it “history hijacking” or “history sniffing.” Mozilla, the foundation behind Web browser Firefox, calls it the “CSS: visited history bug.” It’s a bug that’s been discussed in developer circles for over a decade. Some browsers have fixed the bug. If you’re surfing using Chrome or Safari, this script doesn’t work. Firefox has fixed it in its newest version (for a long explanation as to how, see this post on the Mozilla security blog.) Internet Explorer, the most popular browser out there, is vulnerable to the history sniffing (though you can prevent it by going through the slightly onerous step of activating InPrivate Browsing, according to a spokesperson. That feature also blocks ad networks’ cookies, reports Business Insider.)

No comments:

Post a Comment