Browser History Sniffing

By Salgoth
in Web Browser Discussion & Support

 Share

Recommended Posts

Mentor

kimsland

Posted
Posted
Links open in new windows. Although it is not required for the exploit, meta refreshes must be enabled to view this demo. * In most configurations.

Have a read here: http://forums.mozillazine.org/viewtopic.php?f=7&t=859575

Basically: (in Firefox)

about:config

accessibility.blockautorefresh

Double click on: "accessibility.blockautorefresh"

Try http://making-the-web.com/misc/sites-you-visit/nojs/ again :)

Community Regular

code.kliu.org

Posted
Posted (edited)

This isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.

Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.

As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).

Edited by code.kliu.org
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted (edited)

You have to stop :visited from working, you could do a "same origin" restriction on it, change getComputedStyle to always return the default state, or just plain break it. It's not that much of a "flaw" anyway, as code.kliu.org said you have to guess the exact URL used, but if you're paranoid you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

Edited by The_Decryptor
Mentor

Salgoth

Posted
  • Author
Posted

Thanks The_Decrytor and code.kliu.org!

This is what I love about Neowin! I'm a moron when it comes to coding but there are always some pretty BRILLIANT people on Neowin to set me straight.

I feel relaxed that it's such a difficult sniff to use and knowing it can be blocked if I wish by changing that layout.css.visited_links_enabled value.

Thanks again!

Mentor

kimsland

Posted
Posted
you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Are you using Firefox 3.5? The preference doesn't exist in 3.0.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft about to radically change how often your Edge browser updates

      By Snake Doc · Posted

      I recently tried edge. It seems a lot better. A lot of the junk in it is gone. It seems less bloated and snappy.
    • Lethal fake phone chargers are still being sold on Amazon and eBay, UK watchdog warns

      By zikalify · Posted

      Lethal fake phone chargers are still being sold on Amazon and eBay, UK watchdog warns by Paul Hill Credit: Pexels The UK consumer rights organization, Which?, is claiming that “potentially lethal knock-off chargers” are still being sold on online marketplaces seven years after it exposed the danger of these chargers. In its latest investigation, it bought 15 USB phone chargers from several online marketplaces and found they were missing key information, meaning they cannot be legally sold in the UK. Which? bought the 15 chargers from seven online marketplaces. These were Amazon (including Amazon Haul), AliExpress, B&Q Marketplace, Debenhams Marketplace, and eBay. It said that the chargers were so badly made that anyone using them was at risk of electric shock. Over half the chargers also posed fire and explosion risks. Of the chargers purchased, one was a fake Apple USB-C 35W power adaptor charger. To confuse buyers, the box was branded with an Apple logo, but testing found it to be a fake. Further testing picked up arcing sounds after 10 seconds of use, where a current jumps between two parts of the electrical circuit, which can cause fires, explosions, or electric shock. The manufacturers of this particular charger also put modeling clay inside it to make it feel more weighty, robust, and genuine. Not all of the chargers were technically faulty; however, some were missing key packaging, markings, and documentation, meaning they can’t be sold in the UK legally. Which? said that it is now campaigning alongside a coalition of safety groups and businesses for new laws that make online marketplaces responsible for ensuring the safety of products that they choose to list on their websites. It also said the government needs to start using powers under the Product Regulation and Metrology Act, which was adopted last July, to impose safety requirements on online marketplaces via secondary legislation, but so far, there have been delays. No matter what country you are in, be sure to properly research what you are buying and only buy authentic chargers to prevent fires. You can read more about Which?’s research here.
    • Visual Studio finally gets long-awaited feature that developers will love

      By Usama Jawad96 · Posted

      Visual Studio finally gets long-awaited feature that developers will love by Usama Jawad Visual Studio Code is Microsoft's popular, lightweight, open-source code editor, it is actually Visual Studio that is the company's flagship integrated development environment (IDE). Although the IDE already offers a boatload of useful features for developers, Microsoft has finally introduced a long-requested capability that will be loved by many. While developers have already been able to create Git pull requests (PRs) directly within Visual Studio for the past couple of years, it had not been possible to review a PR without switching to the browser, until now. Microsoft revealed in December 2025 that it is working on UX that enables developers to do just that, and fast-forward to June 2026, and Visual Studio finally has native capabilities to open and inspect a PR, discuss feedback, and wrap up the review, all without switching to the browser. This integration works for both GitHub and Azure DevOps (including on-prem). Developers have access to multiple surfaces to open a PR, including Git Repository, Git Changes, and the Git menu in Visual Studio. Once you open a PR, all the important details will be immediately visible to you, from where you can navigate to various levels of granularity and branch states, depending on the reviews that you are engaged in. As you would expect, you also get a diff view that enables you to see code changes inline or side-by-side in a separate panel. You can also review commit-by-commit. Additionally, this UX fosters collaboration as you can leave comments, reply to threads, and resolve conversations easily. Naturally, you can also leverage Copilot to apply a code suggestion to fix a potential issue. When you are done, you have the ability to approve, complete, and merge the PR. This is a pretty major feature as it has been requested heavily for the past few years. You can try it out in Visual Studio 2026 version 18.7, made available here recently. Microsoft plans to enhance this experience further in future releases with comment filtering, a timeline of PR activity, and more.
    • This AdGuard Family lifetime deal is still only $15.97

      By News Staff · Posted

      This AdGuard Family lifetime deal is still only $15.97 by Steven Parker Today's highlighted Neowin Deal comes via our Apps + Software section, where you can get a lifetime subscription and save 90% on a lifetime AdGuard Family Plan. AdGuard is a unique program that has all the necessary features for what they claim to be "the best web experience." The software combines the an advanced ad blocker, a privacy protection module, and a parental control tool—all working in one app. This software deals with annoying ads, hides your data from a multitude of trackers, protects you from malware attacks, and even lets you restrict your kids from accessing inappropriate content. Install AdGuard and see the internet as it was supposed to be: clean and safe. Get rid of annoying banners, pop-ups & video ads once and for all Hide your data from the multitude of trackers & activity analyzers that swarm the web Avoid fraudulent and phishing website and malware attacks Protect your kids online by restricting them from accessing inappropriate & adult content Good to know Family Plan Length of access: lifetime This plan is only available to new users Redemption deadline: redeem your code within 30 days of purchase Max number of devices: 9 Access options: desktop & mobile Software version: AdGuard Family Updates included A lifetime subscription of AdGuard Family Plan normally costs $169.99, but this deal can be yours for just $15.97, that's a saving of $157.02. For full terms, specifications, and license info please click the link below. Get this AdGuard Family lifetime deal for just $15.97 (was $169.99) Although priced in U.S. dollars, this deal is available for digital purchase worldwide. As an online publication, Neowin too relies on ads for operating costs and, if you use an ad blocker, we'd appreciate being whitelisted. In addition, we have an ad-free subscription for $28 a year, which is another way to show support! Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • Microsoft releases new Windows 11 Media Creation Tool with the latest updates

      By AndyMutz · Posted

      the MCT currently downloads 26200.8653, so not completely up to date.

  • Recent Achievements

    • Week One Done
      Timaximus earned a badge
      Week One Done
    • One Month Later
      Timaximus earned a badge
      One Month Later
    • Rookie
      FBSPL went up a rank
      Rookie
    • First Post
      davidbazooked earned a badge
      First Post
    • Week One Done
      davidbazooked earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      499
    2. 2
      PsYcHoKiLLa
      174
    3. 3
      +Edouard
      160
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!