Browser History Sniffing

By Salgoth
in Web Browser Discussion & Support

 Share

Recommended Posts

Mentor

kimsland

Posted
Posted
Links open in new windows. Although it is not required for the exploit, meta refreshes must be enabled to view this demo. * In most configurations.

Have a read here: http://forums.mozillazine.org/viewtopic.php?f=7&t=859575

Basically: (in Firefox)

about:config

accessibility.blockautorefresh

Double click on: "accessibility.blockautorefresh"

Try http://making-the-web.com/misc/sites-you-visit/nojs/ again :)

Community Regular

code.kliu.org

Posted
Posted (edited)

This isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.

Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.

As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).

Edited by code.kliu.org
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted (edited)

You have to stop :visited from working, you could do a "same origin" restriction on it, change getComputedStyle to always return the default state, or just plain break it. It's not that much of a "flaw" anyway, as code.kliu.org said you have to guess the exact URL used, but if you're paranoid you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

Edited by The_Decryptor
Mentor

Salgoth

Posted
  • Author
Posted

Thanks The_Decrytor and code.kliu.org!

This is what I love about Neowin! I'm a moron when it comes to coding but there are always some pretty BRILLIANT people on Neowin to set me straight.

I feel relaxed that it's such a difficult sniff to use and knowing it can be blocked if I wish by changing that layout.css.visited_links_enabled value.

Thanks again!

Mentor

kimsland

Posted
Posted
you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Are you using Firefox 3.5? The preference doesn't exist in 3.0.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft explains why PowerToys 0.100.0 is faster and slimmer, there are new features too

      By matthiew · Posted

      I just looked on my computer and there are settings and log files for utilities I have never even turned on!
    • O&O ShutUp10 3.1.1104

      By Copernic · Posted

      O&O ShutUp10 3.1.1104 by Razvan Serea O&O ShutUp10 offers a simple yet effective way to take control of your Windows privacy. It provides access to almost 50 privacy-related tweaks, most of them hidden or not easily accessible to the average computer users. Using a very simple interface, you decide how Windows 10/11 should respect your privacy by deciding which unwanted functions should be deactivated. Using ShutUp10 you can easily disable Windows Defender, turn off telemetry, disable peer-to-peer updates, turn off Wi-Fi Sense, disable automatic Windows updates, turn off and reset Cortana and more. ShutUp10 allows you to create a System Restore point before you apply any changes, so that you can revert your system at any time if you run into problems. O&O ShutUp10 is entirely free and does not have to be installed – it can be simply run directly and immediately on your PC. And it will not install or download retrospectively unwanted or unnecessary software, like so many other programs do these days! O&O ShutUp10 Free and Premium The latest version brings O&O ShutUp10 Premium, expanding the app’s long-standing privacy controls with automatic enforcement of user-defined settings. Instead of manually rechecking options after every Windows update, users can set their preferred privacy configuration once—or apply recommended settings in a single click—and the tool continuously monitors them in the background. If Windows 10 or 11 re-enables disabled features or introduces new data collection paths, Premium restores the chosen settings automatically without user intervention. The free version remains available and fully functional for manual adjustments, offering the same core privacy controls for Windows. However, the Premium tier is aimed at users who want long-term, hands-off protection, adding automatic reapplication after updates, ongoing monitoring, and optional notifications to ensure privacy settings remain consistent over time. O&O ShutUp10 3.1.1104 changelog: Added “Show Differences” button in the overview panel “Don’t show again” option for the restore point prompt Ctrl+F keyboard shortcut for search/filter functionality Detection and linking of system-wide and user-specific setting associations Automatic search while typing PREM: Option to preserve notification counters and timestamps across application restarts PREM: Reset blocked settings button in the Settings dialog PREM: Informational message when no settings are blocked PREM: Update check can also be triggered from the menu PREM: Notification deduplication and activity log summary feature Improved L005 “Disable Windows Location Service”: Version-specific split (up to Windows 11 23H2) and new variant for Windows 11 24H2+ L001 (Disable Location): Added Night Light warning to the description in all languages Search now detects setting IDs even when ID display is disabled and offers to enable it Detection and removal of Copilot/AI desktop apps in RecallTerminator Optimized High DPI support PREM: Reset button is now only enabled when blocked items exist – setting IDs are shown in the confirmation dialog PREM: Updated tray icons with higher-resolution versions PREM: Activity Log timestamps now use localized date and time formats PREM: Tray icon status now uses OK/Warning indicators and localized tooltips PREM: Recall folder detection switched to service-based detection PREM: Copilot uninstallation now provides UI feedback and improved verification Fixed Description text was not displayed correctly for the last item and disappeared when clicking the scrollbar Crash when clicking a search result heading or the […] button PREM: Installation path is now correctly preserved during upgrades PREM: Tray icon was not reliably removed when exiting the application PREM: Main window was not displayed correctly in single-instance mode PREM: Incorrect display of the & symbol in tray icon tooltips on Windows 10 PREM: Fixed notification flooding after sleep/standby PREM: Dashboard was not refreshed after applying recommended settings during onboarding PREM: Progress bar was not reset after deleting Recall folders PREM: Fixed service startup failures PREM: Fixed incorrect drift detection when Automatic Protection was disabled PREM: Notifications now correctly count all deviating settings when protection is enabled PREM: Registration Wizard was shown after sleep/standby despite a valid license Download: O&O ShutUp10 3.1.1104 | 76.4 MB (Freeware) Download: O&O ShutUp10 32-bit | ARM64 View: O&O ShutUp10 Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • New Site Moderation

      By +Edouard · Posted

      Fascinating...W h i t e P o w e r is now also asterisks out.  
    • New Site Moderation

      By +Edouard · Posted

      In the past few days I have noticed two odd moderation activities. First, when I posted the term 'White Nationist Christian' it was asterisk's out. When I changed it to **** it was allowed! Second, in the Politics is a ###business thread I was allowed to post that the GOP is a party of p e d ophiles but I was censored  when I posted the GOP are a party of p e d ophile protectors. Wtf Neowin. Please explain.
    • Latest Rufus update improves new Windows 11 install method

      By WITHOUT-ME · Posted

      send him paypal

  • Recent Achievements

    • One Month Later
      Vincian earned a badge
      One Month Later
    • First Post
      Jocimo earned a badge
      First Post
    • Week One Done
      suprememobiles48 earned a badge
      Week One Done
    • One Month Later
      Windows Guy earned a badge
      One Month Later
    • One Month Later
      Prasann earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      547
    2. 2
      +Edouard
      166
    3. 3
      PsYcHoKiLLa
      86
    4. 4
      Steven P.
      66
    5. 5
      neufuse
      65
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!