Browser History Sniffing

By Salgoth
in Web Browser Discussion & Support

 Share

Recommended Posts

Mentor

kimsland

Posted
Posted
Links open in new windows. Although it is not required for the exploit, meta refreshes must be enabled to view this demo. * In most configurations.

Have a read here: http://forums.mozillazine.org/viewtopic.php?f=7&t=859575

Basically: (in Firefox)

about:config

accessibility.blockautorefresh

Double click on: "accessibility.blockautorefresh"

Try http://making-the-web.com/misc/sites-you-visit/nojs/ again :)

Community Regular

code.kliu.org

Posted
Posted (edited)

This isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.

Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.

As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).

Edited by code.kliu.org
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted (edited)

You have to stop :visited from working, you could do a "same origin" restriction on it, change getComputedStyle to always return the default state, or just plain break it. It's not that much of a "flaw" anyway, as code.kliu.org said you have to guess the exact URL used, but if you're paranoid you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

Edited by The_Decryptor
Mentor

Salgoth

Posted
  • Author
Posted

Thanks The_Decrytor and code.kliu.org!

This is what I love about Neowin! I'm a moron when it comes to coding but there are always some pretty BRILLIANT people on Neowin to set me straight.

I feel relaxed that it's such a difficult sniff to use and knowing it can be blocked if I wish by changing that layout.css.visited_links_enabled value.

Thanks again!

Mentor

kimsland

Posted
Posted
you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Are you using Firefox 3.5? The preference doesn't exist in 3.0.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Popular Now

  • Posts

    • Windows 11's big performance boost is finally available for all

      By WaltC · Posted

      All it does is use the CPU more efficiently during boot to speed up boot times. That's it. Yawn....
    • Windows 11's big performance boost is finally available for all

      By sphbecker · Posted

      It's not a one or the other kind of thing. Software should run efficiently, and the operating system should appropriately manage the CPU clocks. You could have the best most optimized software on earth, and it will still run faster if the CPU does a better job of boosting as needed. All this is doing is pre-boosting the CPU based on user actions, instead of waiting for the normal detection mechanism to kick in. If the OS knows it is about to need more CPU, why shouldn't it use that knowledge? It's the same idea of downshifting before you try to pass someone, instead of just burying your foot into the peddle and waiting for the transmission to figure out what you want to do.
    • Audacity 3.7.8

      By Copernic · Posted

      Audacity 3.7.8 by Razvan Serea Audacity is a free, open source digital audio editor and recording application. Edit your sounds using cut, copy, and paste features (with unlimited undo functionality), mix tracks, or apply effects to your recordings. The program also has a built-in amplitude-envelope editor, a customizable spectrogram mode, and a frequency-analysis window for audio-analysis applications. Built-in effects include bass boost, wah wah, and noise removal, and the program also supports VST plug-in effects. You can use Audacity to: Record live audio. Record computer playback on any Windows Vista or later machine. Convert tapes and records into digital recordings or CDs. Edit WAV, AIFF, FLAC, MP2, MP3 or Ogg Vorbis sound files. AC3, M4A/M4R (AAC), WMA and other formats supported using optional libraries. Cut, copy, splice or mix sounds together. Numerous effects including change the speed or pitch of a recording. Write your own plug-in effects with Nyquist. And more! See the complete list of features. Audacity 3.7.8 changelog: #10688 Fixed an exception thrown when pasting into a newly-created track (Thanks, David Bailes (@DavidBailes)!) #10870, #10884, #10775, #10629 Fixed tone generation, waveform-scale setting, SetClip Name parameter, and clip-boundary command names for scripting and macros (Thank you, David Bailes (@DavidBailes)!) #11106 Fixed the loading of presets for the Distortion effect (A million thanks, David Bailes (@DavidBailes)!) #10947 Fixed paste into an empty audio track not preserving the source sample rate (Thanks, Juan Gabriel Colonna (@juancolonna)!) #10776 Allowed AltGr modifier in label and clip name editing (Thanks, Davide Peressoni (@DPDmancul)!) #9938 Added options to choose where silence is truncated (start/middle/end) (Thanks, Noah Rosenfield (@nosenfield)!) #9935 Added Podcast 2.0 chapters JSON export for label tracks (Thanks, Noah Rosenfield (@nosenfield)!) #10103 Improve UI on HiDPI displays on Linux/wxGTK (Thanks, Ivan A. Melnikov (@iv-m)!) #10099 Fixed MixerBoard Mute and Solo button display (Thanks, Ivan A. Melnikov (@iv-m)!) #10681 Fixed multichannel FLAC import #10999 Fixed envelope being broken after joining clips Download: Audacity 64-bit | Standalone ~20.0 MB (Open Source) Download: Audacity 32-bit | Standalone Download: Audacity ARM64 | Standalone View: Audacity Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Windows 11's big performance boost is finally available for all

      By George P · Posted

      There really isn't anything magical about the low latency profile, other OS's do this as well. All they're doing is using your CPUs boost clock options in a more smarter way.
    • Windows 11's big performance boost is finally available for all

      By +Good Bot, Bad Bot · Posted

      So we shouldn't have the option because of people using their laptops on battery? OK? LOL

  • Recent Achievements

    • One Month Later
      Star Processing earned a badge
      One Month Later
    • Week One Done
      Star Processing earned a badge
      Week One Done
    • One Year In
      Star Processing earned a badge
      One Year In
    • Week One Done
      FBSPL earned a badge
      Week One Done
    • One Year In
      Jim Dugan earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      494
    2. 2
      PsYcHoKiLLa
      198
    3. 3
      +Edouard
      155
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      69
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!