Jeremiah Grossman came up with a really clever way of using Javascript to find what pages you've visited recently. It goes like this: when a link has been visited, you can use the :visited pseudo-class to style it. Using Javascript, you can walk through all of the links on your page and grab their styles; comparing a link's style to the style given to visited links in the CSS will tell you whether or not a site has been visited. Seems innocent enough, until you realize that this can be applied to a large list of links. A site will know whether or not have been to any of the sites on their list. Combine that with a little Ajax, a database and a cookie, and you can track where your return users have been over time.
This technique is worrying, but probably not the end of privacy as we know it. It can only be applied to a finite list of links, so it's not able to find out all of the sites you've been to. It's done using Javascript, so you can't hide the fact that you're using it; the code can be obfuscated, but eventually someone will figure out that Evil Corp. is tracking whether users have visited their competitors' sites first. And it can be prevented by emptying your cache or reseting your visited links. It will be interesting to see if any popular sites risk the bad publicity of actually using this.
Hats off to Jeremiah for coming up with this. Just goes to show what's possible with CSS and Javascript these days.
Update: Christian Heilmann got it to work with IE by using height and computedHeight instead of color.
Comments
This is an abomination.:Tuesday, August 22nd, 2006 at 18:07 #1
My name is jsaltz and I think this is an abomination.
Briznert:Tuesday, August 22nd, 2006 at 19:35 #2
I'm flabergasted!
Gordon Mohr:Tuesday, August 22nd, 2006 at 21:09 #3
Security research groups at Indiana U and Stanford U had papers about this (and similar) vulnerabilities in the May 2006 WWW Conference. See:
http://www.cs.indiana.edu/~sstamm/projects/recon/
http://crypto.stanford.edu/sameorigin/
From one of the papers' bibliographies, I believe the first disclosure of the problem was in 2002:
http://seclists.org/bugtraq/2002/Feb/0271.html
Ross:Tuesday, August 22nd, 2006 at 23:24 #4
Thanks for the info, Gordon.
I wonder why more fuss wasn't made about this the first time it was disclosed.
Ross:Wednesday, August 23rd, 2006 at 0:09 #5
There are some interesting comments on the Reddit link to this post.
It seems that this exploit doesn't work in Opera 9 "since Opera returns default browser styles for visited links." Can anyone confirm or clarify this?
an example:Wednesday, August 23rd, 2006 at 1:00 #6
Here is a working example:
http://gemal.dk/browserspy/css.html
Karsten:Wednesday, August 23rd, 2006 at 7:21 #7
Is it my browser settings or is your site's usability awfully poor? Grey and dark blue on black!? Prohibitive as far as I am concerned.
Chris Wood:Wednesday, August 23rd, 2006 at 7:50 #8
Mozilla have had a bug relating to this open and unresolved since 2002.
See http://forums.mozillazine.org/viewtopic.php?t=300080 and the links onwards from there.
Chris Wood
Joël Kuiper:Wednesday, August 23rd, 2006 at 19:08 #9
This is old new right?
Brice Le Blevennec:Wednesday, August 23rd, 2006 at 19:31 #10
Does not work with latest Safari on MacOS X.
Matt Todd:Wednesday, August 23rd, 2006 at 19:54 #11
I must say that I think this is pretty neat. It also has a few interesting uses just within the users' own websites! (Check to see if they've been visiting your articles, etc.)
Clever.
M.T.
Julien Couvreur:Wednesday, August 23rd, 2006 at 20:27 #12
This is not new:
https://bugzilla.mozilla.org/show_bug.cgi?id=57351
http://milov.nl/2520
http://www.doxdesk.com/personal/posts/bugtraq/20020214-css.html
JJ:Wednesday, August 23rd, 2006 at 20:32 #13
Exploits Exploits Exploits.... It's just human nature.
mrivorey:Wednesday, August 23rd, 2006 at 20:53 #14
Wow... good thing Firefox can clear all your private data after each session now. Still, that doesn't help your current session.
MMi:Wednesday, August 23rd, 2006 at 21:05 #15
Karsten - It's your settings.
KSF KAY:Wednesday, August 23rd, 2006 at 21:39 #16
Wow, that's really cool.
Curmudgeon:Wednesday, August 23rd, 2006 at 22:28 #17
What is wrong with my browser? Did I leave some bizarre style sheet in here?
Surely the designer did not use this white/charcoal-on-black theme!
Ross:Wednesday, August 23rd, 2006 at 22:58 #18
We are aware that the current color scheme can be hard for some people to read, depending on their browser and display settings. A dark text on light background design is in the works.
steven:Wednesday, August 23rd, 2006 at 23:12 #19
This does infact work with the latest version of Safari. http://gemal.dk/browserspy/css.html pegged it in Safari 2.0.4 on Tiger.
doug:Wednesday, August 23rd, 2006 at 23:27 #20
Instead of bitch'n about site layout & the color scheme; why don't you learn how to use your mouse to highlight a block of text; it's easier on the eyes and the ears.
Javascripting Fool:Thursday, August 24th, 2006 at 0:02 #21
This has been in use as a visitor history competitive intelligence tool since 2002 and 2003.
Sam:Thursday, August 24th, 2006 at 1:12 #22
Instesad of going blind trying to read this pretty impossible to read site, use CTRL-A to select-all and suddenly make the whole page pretty easier to read.
textibule:Thursday, August 24th, 2006 at 4:32 #23
Great white on black design. Illisible, but so-o-o cool.
Clayfoot:Thursday, August 24th, 2006 at 7:36 #24
You may also like 'Read Easily', a Firefox extension that puts a button in your toolbar to toggle CSS styles on/off. Makes lots of pages easier to read.
http://readeasily.mozdev.org/
irked:Thursday, August 24th, 2006 at 8:42 #25
Agree 100% with comments about this stupid colour scheme. It detracts from the story.
Did I say the colour scheme is stupid? I meant that the author is stupid and lazy.
Kevin Prichard:Thursday, August 24th, 2006 at 10:42 #26
The interesting thing about this Javascript hack, is that it can be used to to report back centrally where else a given user has been visiting. This could be used to by a company to research which competitor sites their users are visiting. It could be used by a government agency, posing as a porn site, to find out what other porn sites you've been visiting. Ad infinitum. It could already be in use, for all you know. -kevin prichard
Markus Jakobsson:Saturday, August 26th, 2006 at 20:58 #27
For demo, see https://www.indiana.edu/~phishing/browser-recon/