76% of Web Users Affected By Browser History Stealing

An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."

If you didn't want your browser history detected..

[NickLarsen]

You shouldn't have been browsing the internet. But I am curious... how is this information used maliciously, excluding advertising?

Re:If you didn't want your browser history detecte

[digitalsushi]

Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.

Re:

[commodoresloat]

who the hell reads "joke of the day" emails?

Re:

[digitalsushi]

You must not have relatives that are bad at the computers.

Re:

[gorzek]

who the hell reads "joke of the day" emails?

More people than read Slashdot.

Re:

[denis-The-menace]

They give your PC a cookie and then they can see by your history how old you are, your favorite porn sites, if you're gay, etc.

Then they sell that info to advertisers and their ilk.

Re:

[Anonymous Coward]

No need for cookies, you just use javascript and CSS.

I actually implemented a history sniffer for an online advertising company a few years ago; we were using it as an additional selling point for potential advertisers, as in "We can tell you what percentage of your visitors have visited your rivals' landing pages".

Worth remembering you can only test against a list of exact urls that you're interested in, you can't just go browsing through a visitor's history. In other words, if I wanted to know how many pa

Re:

[wjousts]

No need for cookies, you just use javascript and CSS.

No need for JavaScript either. You can do it with CSS alone.

Re:

[Pojut]

how is this information used maliciously, excluding advertising?

Many people consider advertising to be a malicious use.

Personally, I don't mind my information being used for advertising. Living in 2010, it's an unavoidable fact of life that we are going to encounter advertising everywhere. I would much rather it be for products and services that I actually have an interest in rather than stuff I don't care about.

Re:

[Pojut]

You silly sod.

Advertising puts the idea of the product they are trying to sell, into your head. It may be that you 'want' the thing once it is there but before the advertiser got to work on you, there is every likelihood that you would have been perfectly happy without the product.

You really have no idea how advertising works do you. They must love you.

My point is I would rather see advertising about a new motherboard or a speaker set rather than tampons or life insurance.

Re:

[phyrexianshaw.ca]

I second the above opinion. your will is your own, but please, stop Microsoft from showing me ad's for funeral homes in Georgia. I really, really don't care.

Re:

[daremonai]

Yeah, if I see those ads one more time I think I'll die!

Hey, wait a second ....

Re:

[rickb928]

Yuh. I go to look for a particular designer's eyeglass frames, and I don't get ads for that designer's frames, nor do I get ads for eyeglasses or even sunglasses.

I get ads that send me to link farms, malware hatcheries, FAKE shopping sites, etc. Seems the evil advertisers pay more to get to the top of the list.

Pus.

Re:

[JWSmythe]

The problem with advertisers data-mining and presenting ads targeted to what you've done is this. This is a real-world example.

Someone was going to buy a used refrigerator. They asked me to see what the current market value was for the used one, as well as the retail value. If the difference was small enough, they were going to just buy a new one. I spent maybe 15 minutes looking for information. For several days after that, I got targeted ads for refrigerators and large a

Re:

[bingoUV]

I use firefox, with a lot of privacy enhancing extensions, and I generally do not feel that the advertisers have a lot of information about me. But for a brief while, I used google chrome browser. For about 2-3 weeks after that, I was stumped by advertisers' (especially google) intricate knowledge of my person. I say this principally on the basis of gmail advertisements.

Though the good news is that if you start using a privacy enhanced browser, advertisers soon (seem to) forget all about you.

Re:

[element-o.p.]

Advertising is just a Jedi mind trick; it's only effective in the way you suggest if you are rather weak-minded.

Personally, I find that advertising is only effective once I am already in the market for something (i.e., my car just threw a transmission, and now I am shopping for another one). It is very rare indeed that I see an ad for something and start thinking, "Wow...I could really use one of those." YMMV, of course, but if you often find yourself desperately "needing" something

Re:

[boxwood]

But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).

Those little jingles and slogans may not even pop into your head while test driving but they're there and have an influence over your purchasing decision. Sure you'll look at the price and

Re:

[gorzek]

All the above only means that you should do research before making a major purchase. If you go to a car dealership, totally uninformed about what you want and just base everything on your gut instincts, you deserve what you get.

Read the reviews, read Consumer Reports, do a bunch of test drives. For God's sake, if you're going to drop five or six figures on something, make sure it's really what you want and need!

Re:

[Carnildo]

But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).

Maybe you do. I don't.

It might be the fact that I see maybe a hundredth as many ads as the typical person, but my impressions of products are shaped more by cultural osmosis than by marke

Re:If you didn't want your browser history detecte

[Nadaka]

People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.

Re:

[aztracker1]

I use a different set of passwords depending on importance. I treat my online "social website" identities like public information, don't put what I wouldn't want found up. If more people simply did that, it'd be a lot easier.

Re:

[thetoadwarrior]

It only detected 2 out of 20+ sites I visited since last clearing out my cache (slight porn guilt makes me do it every so often) both of which have passwords I use only for those sites. I don't really care if someone gets my slashdot account details or twitter details. It's certainly not the end of the world.

Re:

[bstender]

Their insecurities arent your fault, but sneaking around is really not the way if you really want to grow the relationship.

10 years = nothing done

[TheMeuge]

I am not a programmer... but it seems absolutely amazing to me that since this vulnerability has become known (10 years?) nothing has been done to address it. The only two ways to avoid having your history accessed this way, is either to prevent your browser from marking sites as "visited" altogether, or to regularly delete your browsing history.

How is it that Firefox, an open-source browser, still hasn't had this issue fixed in all these years?..

Re:

[GungaDan]

Doesn't unchecking the "keep my history" button under "privacy" take care of this?

Re:

[TheCycoONE]

http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx [msdn.com] is an article on the subject.

Essentially the vulnerability is a feature of the spec. Even without JavaScript or cookies, the CSS specification allows a web developer to specify that a particular icon/cursor/background-image should be shown for visited links. The exposure is that the client only downloads resources when they are needed to preserve bandwidth, and the server knows what has been requested from it, so I could put in t [google.com]

Re:

[Logic and Reason]

But browsers could be made to download just :visited images, as a security-related exception to the "download as needed" policy. This shouldn't affect performance at all, since sites that actually do this for "legitimate" reasons should be vanishingly rare.

Re:

[zuperduperman]

> browsers could be made to download just :visited images

Wouldn't that just alter the attack? In the end they will just make it infer the 'visited' state from other things that are much harder to block. (Eg: change the link to bold if visited - now it's bounding box is slightly larger, which you can detect in javascript and use to report back if the user visited the site). I think the protection has to be positioned further back in the chain: a visited style will only be rendered if the user visited

Re:10 years = nothing done

[psbrogna]

I don't think you're correct in your list of options for protecting against the vulnerability. As a general principal, client side code from an untrusted source (ie. the web) should only have access to client side content which originated from the same source. In the case we're talking about, the content has been modified by the client based on private client state (ie. visited links), at this stage, the content should no longer be accessible to the code. If the rendering pipeline were more compartmentalized (ie. think XSLT translation steps), then code in one department wouldn't have access to content that has been modified based on private client state.

In this manner, the client environment could modify the content at will (ie. changing style for links to web sites you've been to, blocking ads, stripping flash, turning off client side code functionality entirely, etc.) without fear of what's being harvested or inferred. I don't know what a client's browser does to a dom to make it consumable by the deaf or blind, but if that's something that can be detected by untrusted code then I believe it's another example of violating a user's privacy.

Re:

[tuomasb]

Here is a demonstration of the hack using only CSS: http://ha.ckers.org/weird/CSS-history.cgi [ckers.org] You can also use: background: url"(logger.php?site=pornsite.com"); No need for the background to be a real image. This even works if you're using Noscript with Firefox.

Re:

[weicco]

All I'm getting is "The following sites were visited:" and then nothing. I'm not impressed :)

Re:

[treeves]

Same here. Opera 10.53, Javascript enabled -not that it matters.

Re:

[buchner.johannes]

Do as I did a while back and set layout.css.visited_links_enabled = false in about:config.
Not knowing whether one has seen a page already sucks though. Mozilla said at some point [1,2] that it is hard to fix that issue.
I'd be happy it if CSS/JS couldn't see :visited, but the browser can set its color.

[1] http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/ [mozilla.com]
[2] http://dbaron.org/mozilla/visited-privacy [dbaron.org]

Re:

[Qzukk]

I think the most appropriate way is to prevent :visited from applying to any URL not within the current domain.

Re:

[Anonymous Coward]

The problem with that is that will break the page layout for any links which are external to your site. I think the best way to handle it would be to preload all :visited related images at page load. Needed or not. This will result in expected page layout, and it won't be possible to infer which links where already visited. Possibly a memory hog, but browsers can also detect when a page tried to load 10,000 :visited related images and flag as possibly malicious.

Re:

[element-o.p.]

...or to regularly delete your browsing history.

Maybe I belong in the tin-foil hat crowd, but I have my browser set to do this every time I close it.

Re:

[daveime]

Or after you open 4 tabs in Firefox.

Re:

[metrometro]

1) Spear-phishing. When I threw my browser (Chrome) at it, it spit back a list of specific pages at online vendors. From there, you can make some pretty good guesses about things I've bought lately: in this case, a Dell laptop. I wouldn't click on a recall notice from Dell (register for a replacement kit!), but a lot of people would go down that rabbit hole.

2) Same-password attack. Site A requires login, scrapes list of your recently used sites, then tries the same user/password at B, C, D from your history

Re:

[thetoadwarrior]

According to their link it isn't even that good. It showed that I came here and twitter meaning it missed out about 20+ other sites. Considering I didn't do much at all at twitter and I don't who knows I come here, I'm not too worried.

Chrome 5

[binkzz]

Using Chrome 5 development version, the site says it can't find any history on my machine at all (not using incognito).

Firefox, on the other hand, has a potty mouth.

Re:

[Darkman, Walkin Dude]

Firefox 3.6 here and no history shown... :-D

Re:

[Lando]

Strange, 3.6.3 here and it finds a history.

Re:

[xOneca]

NoScript [mozilla.org]? Me too :-)

Re:

[Darkman, Walkin Dude]

Nope! ;-)

Re:

[xOneca]

I was mistaken, but I've realized how it works without scripts [slashdot.org].

Re:

[GraZZ]

The current Chrome beta (5.0.375.38) still leaks like a sieve, so they must have *just* fixed it.

Re:

[xOneca]

Actually, the CSS code for detecting :visited links is

a#l15920:visited {background:url(/l?i=15920)}

with compaining HTML:

<a href="http://chickipedia.com" id="l15920">.</a>

That is, it loads a specific URL when a particular web page has been visited. So the detection is made by the browser, but the data is collected by the server as a purposedly side effect.

Re:

[BZ]

Firefox development versions don't have this issue. The last shipped release does. But were you comparing apples (cutting edge development builds) to oranges (releases that shipped a while back)?

English as Second Language

[rueger]

Hey Taco! "Vulnerable" and "Affected by" are not synonyms.

Re:English as Second Language

[Anonymous Coward]

In other words, I'm vulnerable to a sexual attack by Scarlett Johansson. Unfortunately, I've never been affected by such an attack.

Re:English as Second Language

[olsmeister]

You're also vulnerable to a sexual attack by Mr T. However I hope you are never affected by that attack either.

Re:

[MyLongNickName]

I pity the fool!

vulnerable != affected

[chebucto]

TFA describes a honey-pot based study. It doesn't describe a real-world study of people whose browser histories were actually stolen by actual malicious websites.

94%?

[Thanshin]

In today's news:

Just a small sliver of web users are victims of Browser History Stealing. Most are running Windows 7, connecting through an IPhone and paying Facebook for the privilege.

Uh oh...

[elrous0]

Does this mean that potentially hundreds of sites know that I visit slashdot regularly?!?!?

Well, there goes my bad boy persona.

Re:

[RJFerret]

Nah, it was the collection in your history of Disney.com, gurl.com, Barbie.com, JustinBieberMusic.com, GirlsOnlyForum.com...actually...the gurl.com in there might enhance your "bad girl" persona.

When you played the barbie dress up game, did you dress her as a rocker chick?

Re:

[elrous0]

That was my daughter surfing on my computer, I swear!

Re:

[PerfectionLost]

Does this mean that potentially hundreds of sites know that I visit slashdot regularly?!?!?

So much for Anonymous Coward.

To be fixed in a future Firefox version

[Anonymous Coward]

According to http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ a future version of Firefox will address the :visited privacy issue.

One could also set layout.css.visited_links_enabled=false via about:config to disable :visited completely (at least until the issue is fixed in a future Firefox release).

Re:

[darkinnit]

Is there anyway to implement a similar workaround in Chrome, Opera, Safari and dare I ask... IE?

Re:

[oddTodd123]

Well that was easy. Thank you.

Re:

[Millennium]

So what does this affect in terms of browsing experience?

Visited links would look the same as unvisited ones.

Re:

[Millennium]

Yeah, I don't see it as all that much of a loss either, but someone asked, so I answered.

Re:

[CKW]

It used to be an important/useful feature of the web/html -- until "website designers" decided that they didn't like the look and started making certain that all links looked the same, and other things that also made it stop working.

I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

This was grossly unintent

Re:

[Anonymous Coward]

I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

But you can do more than just colour the links. You could do things like, for example, display a different link image depending on whether or not the link has been visited. In that case, it is still the browser that is making the decision which image to display, but then it has to retrieve the appropriate image from the server. Now, the server sees which image is being retrieved, and therefore knows the visited status of the link.

Re:

[amorsen]

I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

They don't retrieve the list. The web site just makes a link with a :visited attribute which says e.g. that visited links should show a certain background image. And then they wait for the image requests...

Re:To be fixed in a future Firefox version

[boxwood]

the website doesn't get a list of websites.

what happens is the server sets the visited link to show an image, while the unvisited link doesn't. The browser sees that an image is supposed to be displayed for the visited site, checks its history, sees that you have indeed visted that site and then downloads that image to display on the link. The server sees that you downloaded visited-slashdot.png... so it knows you have visited slashdot.

Of course visited-slashdot.png doesn't even need to exist, it just needs to see the request for that file from your browser to know you've been there.

Really CSS just shouldn't allow different images for visited and unvisited links... nobody uses this feature.

Re:

[Trogre]

... or just have the browser download the image regardless and then decide whether it needs to display it.

We Need to take more care of our browsers

[Azarman]

Today is a day, First chrome not hiding you correctly and now all your visited pages are being displayed via ccs:hover. The problem is as we get more "user-friendly" we take short cuts and become lazy, my personal approach to this is to have my most visit websites in my Fav's list and set Firefox Chrome and IE to different roles. For example I use firefox for work (logmein), IE is there for the bad websites that still dont load correctly in other browsers and Chrome for general browsing (threaded tabs for

WTF?

[foghorn19]

"A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites."

Vulnerable != affected

I'm pretty sure...

[The MAZZTer]

...fixes have landed in Firefox and Chrome trunks for this problem. Chrome's should be in the beta branch, or at least the dev branch, not sure about Firefox's. The Bugzilla link confirms Firefox has the fix (not sure which Firefox release Gecko 1.9.3 corresponds to... latest 3.6 mayve?

Can't test right now since the test site isn't on my company's firewall whitelist...

What is the test site URL?

[rcamans]

What is the test site URL?

Re:

[egcagrac0]

whtikay.com [wtikay.com]... I think.

Re:

[rcamans]

Thank you.
wtikay.com it is.

Re:With Chrome

[John Hasler]

> Look, just give it up already. Everything you do is being tracked, by
> somebody, anybody that's interested.. You can't hide anything from your
> service provider...

I rather doubt that my ISP or anyone else knows my private GPG key.

Re:

[SirWhoopass]

I don't see how that prevents them from know which web sites you have been visiting.

I'll bet that if the majority of browsers ever stopped storing history data then Cox and Comcast would readily agree to log it and sell it to the advertisers.

Re:

[boxwood]

at that time they'll find out that I've been visiting https://secure-proxy-server-that-i-trust.net/ [secure-pro...-trust.net] an awful lot.

Re:

[muckracer]

> I rather doubt that my ISP or anyone else knows my private GPG key.

You sure about that?

Re:

[Tim C]

There's a difference between my service provider potentially having the information, and some random website I happen to visit having it.

Re:

[fustakrakich]

Why? If you don't consent, what's the difference who does it?

old news

[karlzt]

this was on LWN a long time ago: http://lwn.net/Articles/350390/ [lwn.net]

Can't...imagine...caring...

[RapmasterT]

I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

that's like calling my garbage being stolen every week when the big truck comes and takes it away.

Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

Re:

[Anonymous Coward]

I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

that's like calling my garbage being stolen every week when the big truck comes and takes it away.

Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

Not only that, it's not actually being "stolen". It's more like it's vulnerable to a game of "Fish". Sites can basically "query" your history looking for particular URLs, and the history will simply say "yes" or "no" to indicate whether a specifically requested URL is in the history.

So, yes, feel free to not give two shits, just like I do.

Re:

[DigitAl56K]

Do you religiously log out of every authenticated site you visit? What if one passes you through a page that puts your login token in a page URL at any point in time? What if your favorite social networking site, known for sharing your private data, suddenly learned of all the items you've been viewing on Amazon or all the news articles you've been reading?

What if you're in China and after browsing some sites you weren't supposed to you hit a government site and it pulled your history and that included some

Re:

[masterwit]

Great, now we have to worry about intellectual rights regarding my history. I really do not think someone "stole" my history, they just made a copy of it. Since my history still functions just fine, I do not have a problem with this!

Why not just drop the visited attribute on links?

[bpeikes]

Browsers should just drop support for that attribute. As a matter of fact, why have any attributes that rely on generic browsing info. If a website wants to track which links I've visited, then show them to me via redirect and keep a list of which redirect links show up. How important is having a browser visually indicate which links I've visited? visited is just about as important as supporting the blink tag....Wait, blink isn't supported anymore.

Re:

[amorsen]

Visited is very useful for mailing list archives. If you try to follow a thread you can keep clicking next and previous and so on, and you can tell by the colour of the link whether you've read it before.

Slashdot ratings up

[Vapon]

anyone wonder if that site is checking our browser history while we read the article? Slashdot.org will be the most popular site according to statistics by the end of the day.

Clear the history

[Murdoch5]

Have the history clear it's self ever 2 min, it's what I do on my Box, sure it's annoying to have to log in constantly but on the other hand it's secure.

Explains why my browser history is always empty!

[noidentity]

Finally, an explanation as to why my browser history is always empty. It's being stolen by someone! I wonder if I can have it returned.

Deliberate sensationalism alert.

[asteinmetz]

"Affected" gets downgraded to "vulnerable" in the article. Percent of web users "affected?" Let's guess .001%.

Brute force, huh?

[Trogre]

This page picked up two references to youtube in my history:

http://www.youtube.com/ [youtube.com]
http://www.youtube.com/watch?v=sHzdsFiBbFc [youtube.com] (it's the spider on drugs that /. drew to my attention a long time ago)

If this is a brute-force dictionary attack, then this guy really has too much time on his hands.