Browser History Sniffing

By Salgoth
in Web Browser Discussion & Support

 Share

Recommended Posts

Mentor

kimsland

Posted
Posted
Links open in new windows. Although it is not required for the exploit, meta refreshes must be enabled to view this demo. * In most configurations.

Have a read here: http://forums.mozillazine.org/viewtopic.php?f=7&t=859575

Basically: (in Firefox)

about:config

accessibility.blockautorefresh

Double click on: "accessibility.blockautorefresh"

Try http://making-the-web.com/misc/sites-you-visit/nojs/ again :)

Community Regular

code.kliu.org

Posted
Posted (edited)

This isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.

Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.

As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).

Edited by code.kliu.org
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted (edited)

You have to stop :visited from working, you could do a "same origin" restriction on it, change getComputedStyle to always return the default state, or just plain break it. It's not that much of a "flaw" anyway, as code.kliu.org said you have to guess the exact URL used, but if you're paranoid you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

Edited by The_Decryptor
Mentor

Salgoth

Posted
  • Author
Posted

Thanks The_Decrytor and code.kliu.org!

This is what I love about Neowin! I'm a moron when it comes to coding but there are always some pretty BRILLIANT people on Neowin to set me straight.

I feel relaxed that it's such a difficult sniff to use and knowing it can be blocked if I wish by changing that layout.css.visited_links_enabled value.

Thanks again!

Mentor

kimsland

Posted
Posted
you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Are you using Firefox 3.5? The preference doesn't exist in 3.0.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By Snake Doc · Posted

      I disagree; they come off very "bitchy" and "whiny". Make a great product and combine that with a great price (free) and people will come over to your side. Or build it and they will come as they say. Constantly trying to get attention by complaining all the time, will turn people off to your product.
    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By +Eternal Tempest · Posted

      It use to be a nightmare, with LibreOffice supporting a newer draft ODF standard by default, and Microsoft Office supporting the older non-draft standard. Now that they both support the same version of ODF, they should be interoperable.
    • Brave Browser 1.91.171

      By Copernic · Posted

      Brave Browser 1.91.171 by Razvan Serea Brave Browser is a lightning-fast, secure web browser that stands out from the competition with its focus on privacy, security, and speed. With features like HTTPS Everywhere and built-in tracker blocking, Brave keeps your online activities safe from prying eyes. Brave is one of the safest browsers on the market today. It blocks third-party data storage. It protects from browser fingerprinting. And it does all this by default. Speed - Brave is built on Chromium, the same technology that powers Google Chrome, and is optimized for speed, providing a fast and responsive browsing experience. Brave Browser also features Brave Rewards, a system that rewards users with Basic Attention Tokens (BAT) for viewing opt-in ads. This innovative system provides an alternative revenue model for content creators and a way to support the Brave community. SlimBrave Neo takes all the good things about Brave and makes them even better by keeping everything clean, light, and privacy-focused. It removes the extra clutter, turns off features you might not need, and cuts down on anything that could slow you down or collect unnecessary data. Because it relies on simple settings and policies instead of modifying the browser itself, you still get full Brave compatibility—just in a smoother, lighter, and more privacy-friendly package. Brave Browser 1.91.171 changelog: General Fixed Cardano not being disabled on upgrade to Brave Origin. Upgraded Chromium to 149.0.7827.103. Origin Removed “Survey Panelist” setting from brave://settings/privacy. Fixed P3A and usage ping under brave://settings/privacy being displayed on first launch on Linux. Upgraded Chromium to 149.0.7827.103. Download: Brave Browser 64-bit | 1.2 MB (Freeware) Download: Brave Browser 32-bit View: Brave Homepage | Offline Installers | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Can't access the forum on mobile

      By RaidenX · Posted

      Hi. As the title suggests, I can't access the forum on my phone. I'm using Edge on Android and when I try to navigate to the forum I get a "we value your privacy" popup and none of the buttons are clickable. It effectively stonewalls me from reading any forum content.
    • Google Chrome is killing all uBlock Origin bypasses, Microsoft Edge, Opera to follow

      By Brandon H · Posted

      Honestly you're not wrong about AdGuard. Neowin frequently has lifetime license discounts for them and that's how I got my cheap family license a few years ago to run it on all my devices.

  • Recent Achievements

    • Rookie
      Marzoid went up a rank
      Rookie
    • Community Regular
      coch went up a rank
      Community Regular
    • One Year In
      slackerzz earned a badge
      One Year In
    • One Year In
      highriskpaym earned a badge
      One Year In
    • One Month Later
      highriskpaym earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      519
    2. 2
      PsYcHoKiLLa
      190
    3. 3
      +Edouard
      156
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!