Browser History Sniffing

By Salgoth
in Web Browser Discussion & Support

 Share

Recommended Posts

Mentor

kimsland

Posted
Posted
Links open in new windows. Although it is not required for the exploit, meta refreshes must be enabled to view this demo. * In most configurations.

Have a read here: http://forums.mozillazine.org/viewtopic.php?f=7&t=859575

Basically: (in Firefox)

about:config

accessibility.blockautorefresh

Double click on: "accessibility.blockautorefresh"

Try http://making-the-web.com/misc/sites-you-visit/nojs/ again :)

Community Regular

code.kliu.org

Posted
Posted (edited)

This isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.

Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.

As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).

Edited by code.kliu.org
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted (edited)

You have to stop :visited from working, you could do a "same origin" restriction on it, change getComputedStyle to always return the default state, or just plain break it. It's not that much of a "flaw" anyway, as code.kliu.org said you have to guess the exact URL used, but if you're paranoid you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

Edited by The_Decryptor
Mentor

Salgoth

Posted
  • Author
Posted

Thanks The_Decrytor and code.kliu.org!

This is what I love about Neowin! I'm a moron when it comes to coding but there are always some pretty BRILLIANT people on Neowin to set me straight.

I feel relaxed that it's such a difficult sniff to use and knowing it can be blocked if I wish by changing that layout.css.visited_links_enabled value.

Thanks again!

Mentor

kimsland

Posted
Posted
you can disable :visited by going to "about:config" and setting "layout.css.visited_links_enabled" to false.

A general way on how to do it (it'll report lime if it's visited, red otherwise).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html lang="en">
	<head>
		<title>Test</title>
		<style type="text/css">
			a { left: 0px; }
			a:visited { left: 1px; }
		</style>
	</head>
	<body onload="alert('Visited Google: ' + Boolean(parseInt(document.defaultView.getComputedStyle(document.getElementsByTagName('a')[0],null).getPropertyValue('left'))));">
		<p><a href="http://www.google.com/">Google</a></p>
	</body>
</html>

Edit: How about an even better true/false method.

I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
I don't seem to have "layout.css.visited_links_enabled" in about:config (?)

Um I was a strong supporter for IE for many years, as:

If IE worked then Firefox could be checked

IE came with Windows

IE was required at MS Update Servers

So, how do I use that code again? (this looks to be the easiest option)

I know stoopy me, but what I do again in Firefox?

Yes real question.

Are you using Firefox 3.5? The preference doesn't exist in 3.0.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Windows 11's big performance boost is finally available for all

      By duhk · Posted

      low latency mode is still bugged and causing bootup times slow to a crawl. To fix, you have to disable the feature with vivetool. Seems as though it's not rolled out to a lot of people yet since I've only been able to find only a handful of people that are having issues.
    • Phone Dilemma

      By Nick H. · Posted

      I would recommend the Nothing 2a. The battery life is awesome, 2 or 3 days without going into battery power mode. The only thing that I've been looking into recently is that it doesn't "support" Graphene OS. I'm pretty sure there is a way, I just need to do some more looking.
    • Phone Dilemma

      By +InsaneNutter · Posted

      You'd have to show me an example of a listing that says Gen 1, usually i'd expect that to mean Snapdragon Gen 1 (a type of chipset, which the Pixels don't use). Pixel 7 - White - 128gb - Unlocked - 85%+ battery - Grade B+ - $159 with free delivery - https://www.ebay.com/itm/398046617206 Pixel 7 - Obsidian - 128gb - Unlocked - 80%+ battery - Very Good - $157 with free delivery - https://www.ebay.com/itm/355617734563 Both look to be sold by companies with good feedback, dealing with refurbished phones and state the phones are unlocked with a clean IMEI. Obviously I can't vouch for either company though, but the listings look good in my opinion.
    • Microsoft about to radically change how often your Edge browser updates

      By +mram · Posted

      Because Chrome is doing it. And no one said anyone had to update immediately. That's silly. They could update every day for all I care as long as it's fast, and the next time the browser restarts, you're good. And the basic point is not to tee it up for bigger updates. As it is right now, all the windows I had open reopen anyway except inprivate.
    • Microsoft about to radically change how often your Edge browser updates

      By seacaptain · Posted

      Why? Does anybody actually want this? The constant need to close all browser sessions and wait for a new version to install, just so that there’s a integrated coupon manager feels like a waste of everyone’s time

  • Recent Achievements

    • Week One Done
      davidbazooked earned a badge
      Week One Done
    • One Month Later
      Jamswaz earned a badge
      One Month Later
    • Week One Done
      Jamswaz earned a badge
      Week One Done
    • Rookie
      Marzoid went up a rank
      Rookie
    • Community Regular
      coch went up a rank
      Community Regular

  • Popular Contributors

    1. 1
      +primortal
      514
    2. 2
      PsYcHoKiLLa
      185
    3. 3
      +Edouard
      159
    4. 4
      Steven P.
      83
    5. 5
      ATLien_0
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!