Browser History Sniffing

By Salgoth
in Web Browser Discussion & Support

 Share

Recommended Posts

Mentor

kimsland

Posted
Posted
Links open in new windows. Although it is not required for the exploit, meta refreshes must be enabled to view this demo. * In most configurations.

Have a read here: http://forums.mozillazine.org/viewtopic.php?f=7&t=859575

Basically: (in Firefox)

about:config

accessibility.blockautorefresh

Double click on: "accessibility.blockautorefresh"

Try http://making-the-web.com/misc/sites-you-visit/nojs/ again :)

Community Regular

code.kliu.org

Posted
Posted (edited)

This isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.

Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.

As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).

Edited by code.kliu.org
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted (edited)

You have to stop :visited from working, you could do a "same origin" restriction on it, change getComputedStyle to always return the default state, or just plain break it. It's not that much of a "flaw" anyway, as code.kliu.org said you have to guess the exact URL used, but if you're paranoid you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

Edited by The_Decryptor
Mentor

Salgoth

Posted
  • Author
Posted

Thanks The_Decrytor and code.kliu.org!

This is what I love about Neowin! I'm a moron when it comes to coding but there are always some pretty BRILLIANT people on Neowin to set me straight.

I feel relaxed that it's such a difficult sniff to use and knowing it can be blocked if I wish by changing that layout.css.visited_links_enabled value.

Thanks again!

Mentor

kimsland

Posted
Posted
you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Are you using Firefox 3.5? The preference doesn't exist in 3.0.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • This is how much iPhone 18 Pro could cost after Apple's price hike confirmed

      By cork1958 · Posted

      While I agree with all that, it just proves there's an a** built for every seat.
    • Epic Games says Unreal Engine 6 will help developers "build content faster" using AI models

      By +pmrd · Posted

      Lol are you mad because I'm not using AI? I'd rather pay people than lose a bunch of potential customers and get humilated because I used AI. A lot of people won't purchase a game if it used AI during development.
    • LibreWolf 152.0-1

      By Copernic · Posted

      LibreWolf 152.0-1 by Razvan Serea LibreWolf is an independent “fork” of Firefox, with the primary goals of privacy security and user freedom. It is the community run successor to LibreFox. LibreWolf is designed to increase protection against tracking and fingerprinting techniques, while also including a few security improvements. This is achieved through our privacy and security oriented settings and patches. LibreWolf also aims to remove all the telemetry, data collection and annoyances, as well as disabling anti-freedom features like DRM. LibreWolf features: Latest Firefox — LibreWolf is compiled directly from the latest build of Firefox Stable. You will have the the latest features, and security updates. Independent Build — LibreWolf uses a build independent of Firefox and has its own settings, profile folder and installation path. As a result, it can be installed alongside Firefox or any other browser. No phoning home — Embedded server links and other calling home functions are removed. In other words, minimal background connections by default. User settings updates Extensions firewall: limit internet access for extensions. Multi-platform (Windows/Linux/Mac/and soon Android) Community-Driven Dark theme (classic and advanced) LibreWolf privacy features: Delete cookies and website data on close. Include only privacy respecting search engines like DuckDuckGo and Searx. Include uBlockOrigin with custom default filter lists, and Tracking Protection in strict mode, to block trackers and ads. Strip tracking elements from URLs, both natively and through uBO. Enable dFPI, also known as Total Cookie Protection. Enable RFP which is part of the Tor Uplift project. RFP is considered the best in class anti-fingerprinting solution, and its goal is to make users look the same and cover as many metrics as possible, in an effort to block fingerprinting techniques. Always display user language as en-US to websites, in order to protect the language used in the browser and in the OS. Disable WebGL, as it is a strong fingerprinting vector. Prevent access to the location services of the OS, and use Mozilla's location API instead of Google's API. Limit ICE candidates generation to a single interface when sharing video or audio during a videoconference. Force DNS and WebRTC inside the proxy, when one is being used. Trim cross-origin referrers, so that they don't include the full URI. Disable link prefetching and speculative connections. Disable disk cache and clear temporary files on close. Disable form autofill. Disable search and form history...and more. LibreWolf 152.0-1 changelog: Upstream release, see the Firefox 152.0 Release Notes Notable changes: The AppImages are now built on Codeberg along with the other releases We have decided to wait a bit longer to enable the settings redesign, due to use being aware of multiple upstream issues Download: LibreWolf 64-bit | Portable 64-bit | ~100.0 MB (Open Source) Download: ARM64 | Portable ARM64 Links: LibreWolf Home Page | Addons | Screenshot | Reddit Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Epic Games says Unreal Engine 6 will help developers "build content faster" using AI models

      By +pmrd · Posted

      hahahahah wow hahahah you sure got me there hahahahahah, you know that bad performance is always due to poor optimization by the developers, right???
    • This is how much iPhone 18 Pro could cost after Apple's price hike confirmed

      By Snake Doc · Posted

      "I know for a fact I'll never own one of these." This is why choice is better than government regulation. Globaly Android has something like 72% of the smartphone market. Granted the vast majority of that is low end phones. Apple can and should charge whatever they want. The market will decide if it is too much.

  • Recent Achievements

    • Week One Done
      Huge Trailer earned a badge
      Week One Done
    • Week One Done
      Classifyskilleducation earned a badge
      Week One Done
    • One Month Later
      eurospharma62 earned a badge
      One Month Later
    • Week One Done
      With What earned a badge
      Week One Done
    • Week One Done
      Harris Gilbert earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      560
    2. 2
      +Edouard
      168
    3. 3
      PsYcHoKiLLa
      72
    4. 4
      Michael Scrip
      64
    5. 5
      ATLien_0
      64
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!