Weekly Edition
Return to the Security page
| |||||||||||
|
| |||||||||||
What the Internet knows about you
A new site at whattheinternetknowsaboutyou.com
is an interesting demonstration of CSS-related browser history disclosure
vulnerabilities. This site is able to produce a surprisingly comprehensive
list of sites that one has visited, down to the level of specific pages on
social networking sites and such. No JavaScript required. There's also
information on just how the
site works and how the disclosure of information can be minimized.
"It is a source of amazement to us that such an obvious and
well-documented history sniffing channel has been allowed to exist for so
many years. We cannot help but wonder why, despite all the malicious
potential, such a hole has not yet been closed."
(Log in to post comments)
What the Internet knows about you Posted Sep 2, 2009 20:20 UTC (Wed) by dilinger (subscriber, #2867) [Link]
Hrm, it doesn't appear to work at all with epiphany-webkit:
"Congratulations, we did not find anything in this category in your browser history."
What the Internet knows about you Posted Sep 2, 2009 20:21 UTC (Wed) by hingo (subscriber, #14792) [Link] This is so scary but also so cool due to the simplicity of it.
What the Internet knows about you Posted Sep 2, 2009 20:44 UTC (Wed) by slothrop3 (guest, #59826) [Link]
Yeah, I was scared by this too.
Bur setting layout.css.visited_links_enabled to false
Also interesting:
What the Internet knows about you Posted Sep 2, 2009 21:46 UTC (Wed) by petegn (guest, #847) [Link]
> Bur setting layout.css.visited_links_enabled to false
Yep stopped it dead in it's tracks for me as well Firefox 3.5b4 openSuse 11.2MS2 x86_64
What the Internet knows about you Posted Sep 3, 2009 12:06 UTC (Thu) by nix (subscriber, #2304) [Link]
Yes, it would: but unfortunately this feature is a major UI benefit. We shouldn't have to choose between it and security.
Looks like links that have been recoloured by this feature should be reported to JS as though their colour has not changed.
There are million ways to detect the difference... Posted Sep 3, 2009 15:17 UTC (Thu) by khim (subscriber, #9252) [Link] Looks like links that have been recoloured by this feature should be reported to JS as though their colour has not changed. What about size of bounding box? Position of other elements? There are a lot of possible style changes you need to hide. Doable, but this code will have a lot of bugs and exploits. So current choice: all or nothing - looks like a good compromise...
What the Internet knows about you Posted Sep 3, 2009 23:35 UTC (Thu) by cesarb (subscriber, #6266) [Link]
The Link Status extension (mentioned in an update at http://whattheinternetknowsaboutyou.com/docs/solutions.html) restores a bit of the lost functionality, by adding the time since the link was last visited to the status bar when you hover over the link. It also has on its preferences a checkbox to toggle layout.css.visited_links_enabled if you are using Firefox 3.5.
What the Internet knows about you Posted Sep 2, 2009 20:30 UTC (Wed) by leoc (subscriber, #39773) [Link]
Doesn't seem to want to tell me what it knows about me... it just hangs on step 2.
What the Internet knows about you Posted Sep 2, 2009 20:32 UTC (Wed) by RainCT (subscriber, #57473) [Link]
Same here with Firefox 3.5.
Doesn't seem to work with Firefox + NoScript Posted Sep 2, 2009 20:30 UTC (Wed) by swatter (subscriber, #42132) [Link]
With Firefox 3.0.6/linux I get an (eventual) redirect to
http://whattheinternetknowsaboutyou.com/top5k?noscript=1 after which it stalls.
Presumably it's NoScript to the rescue.
Doesn't seem to work with Firefox + NoScript Posted Sep 2, 2009 20:47 UTC (Wed) by Kit (guest, #55925) [Link]
The site uses 2 methods, the first uses JavaScript to get the information, the second that you were redirected to uses CSS. The CSS technique basically uses the hidden image trick by setting visted urls to have a certain background image at a certain url.
And you DO have to wait a good while for it to do the scan (using javascript and css). There's a page about the technical details: http://whattheinternetknowsaboutyou.com/docs/details.html
Doesn't seem to work with Firefox + NoScript Posted Sep 2, 2009 21:34 UTC (Wed) by man_ls (subscriber, #15091) [Link] This second method has been disabled temporarily due to heavy traffic, or so the page says. So now you have to enable JavaScript for a couple of sites.
Doesn't seem to work with Firefox + NoScript Posted Sep 3, 2009 14:20 UTC (Thu) by cesarb (subscriber, #6266) [Link]
The hidden image trick is very easy to avoid, just add the following to your userContent.css:
:link, :visited { background-image: none !important }
This does not disable the visited link color, only the background image, so you still need NoScript.
Doesn't seem to work with Firefox + NoScript Posted Sep 3, 2009 15:50 UTC (Thu) by kfiles (subscriber, #11628) [Link]
> The hidden image trick is very easy to avoid, just add the following to
> your userContent.css:
> :link, :visited { background-image: none !important }
I've noticed that sites like
are tricker. They attach a background-image to a child of the <a> tag. For example, the following CSS rule:
a:visited span.span0 {
applied to:
So you'll also need the following in your userContent.css:
:link *, :visited * { background-image: none !important; }
Doesn't seem to work with Firefox + NoScript Posted Sep 3, 2009 16:58 UTC (Thu) by cesarb (subscriber, #6266) [Link]
Thanks for that one, now the rule I am using is
:link, :visited, :link *, :visited * { background-image: none !important }
Note that the site you linked to still shows a large red "VISITED", even though it is not logging anything anymore (you have to follow the link below the table to see nothing was actually logged). Which implies there are probably several other ways of bypassing this userContent.css rule (perhaps playing with display: and using a IMG, for instance; I haven't tested).
What the Internet knows about you Posted Sep 2, 2009 20:34 UTC (Wed) by josh (subscriber, #17465) [Link]
Looks similar to startpanic.
What the Internet knows about you Posted Sep 12, 2009 4:01 UTC (Sat) by roelofs (subscriber, #2599) [Link] Looks similar to startpanic.That site (and many others like it) are listed at the bottom of the technical-details page. Greg
What the Internet knows about you Posted Sep 2, 2009 20:39 UTC (Wed) by shirishag75 (guest, #51082) [Link]
doesn't work also with chromium as well. Hangs at step 2 as well.
does not work with my browser? Posted Sep 2, 2009 20:52 UTC (Wed) by rzm (guest, #116) [Link]
My favourite broser shows an empty page only. Maybe elinks CSS
implementation conforms to the proposed solutions already? But with firefox I do see a list of 6 popular sites visited by me.
Could just be some random sites. Posted Sep 3, 2009 18:13 UTC (Thu) by southey (subscriber, #9466) [Link]
Just did not see what I expected especially no LWN.net or Groklaw which are daily visits.
Could just be some random sites. Posted Sep 4, 2009 4:07 UTC (Fri) by Arker (guest, #14205) [Link]
Using FF 3.013/Windows at work, with Noscript on, I have a dozen tabs open and very long history, the site manages to pull up gmail.com. Nothing else. Odd.
Could just be some random sites. Posted Sep 4, 2009 14:56 UTC (Fri) by ikm (subscriber, #493) [Link]
The site has a fixed list of popular sites and matches your browser's history against this list by seeing which links in the list gets marked as visited and which aren't. It can't just enumerate your history as it is.
Could just be some random sites. Posted Sep 12, 2009 4:02 UTC (Sat) by roelofs (subscriber, #2599) [Link] Just did not see what I expected especially no LWN.net or Groklaw which are daily visits.Try the "all" link at upper left. LWN is something like #2168 in the "bloglines" category, apparently. Greg
What the Internet knows about you Posted Sep 2, 2009 21:54 UTC (Wed) by jebba (subscriber, #4439) [Link]
Accurately found many many links I went to. I'm running latest Fedora 11 firefox: firefox-3.5.2-2.fc11.x86_64. Sites it discovered were wikipedia, google.com.ar, timeanddate.com, worldcat, social security administration, Internet Archive, mercadolibre (argentina ebay), cnn, piratebay..., slashdot, nyt, craigslist, flikr, etc... YIKES!
This technique actually looks useful. Posted Sep 4, 2009 14:48 UTC (Fri) by dmarti (subscriber, #11625) [Link] So yay, sites can finally show the "DIGG THIS" button only to people who actually use Digg, right? Or skip the "invite all your Orkut friends" step in the registration process.
|
|||||||||||