What attacks are made possible by public release of my web history?

Question

Assume that my Internet history is made public (accidentally or on purpose). And this release is over 24 hours since the visits were made.

Also, assume that there aren't embarrassing sites on there: there isn't any blackmail potential.

(My most embarrassing page visited in the last week is actually the TV tropes page for my little pony, for which I have a valid reason and a witness).

What potential attacks does this allow? I'm mildly concerned about seeing massive links like:

hxxps://kdp.amazon.com/en_US/ap-post-redirect?openid.assoc_handle=amzn_dtp&aToken=Atza%7CIwEBIO9mWoekr9KzK7rH_Db0gp93sewMCe6UcFPm_MbUhq-jp1m7kF-x0erh6NbjdLX3bm8Gfo3h7yU1nBYHOWso0LiOyUMLgLIDCEMGKGZBqv1EMyT6-EDajBYsH21sek92r5aH6Ahy9POCGEplpeKBVrAiU-vl3uIfOAHihKnB5r2yXPytFCITXM70wB5HBT-MIX3F1Y2G4WfWA-EgIfZY8bLdLangmgVq8hE61eDIFRzcSDtAf0Sz7_zxm1Ix8lV8XFBS8GSML9YSwZ1Gq6nSt9pG7hTZoGQns9nzKLk7WpAWE8RazDLKxVJD-nDsQ9VdBJe7JZJtD7c77swkYneOZ5HXgeGFkGhKsMnP7GSYndXhC_PqzY251iDt0X7e5TWvh86WZA0tG2qZ_lyIagZtB3iw&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.response_nonce=2018-12-11T13%3A46%3A52Z4004222742336216632&openid.return_to=https%3A%2F%2Fkdp.amazon.com%2Fap-post-redirect&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2CsiteState%2Cns.pape%2Cpape.auth_policies%2Cpape.auth_time%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone&openid.pape.auth_time=2018-12-11T13%3A46%3A52Z&openid.sig=5cx5iHjeLyWTTA9iJ%2BucszunqanOw36djKuNF6%2FOfsM%3D&serial=&siteState=clientContext%3D135-4119325-2722413%2CsourceUrl%3Dhttps%253A%252F%252Fkdp.amazon.com%252Fbookshelf%253Flanguage%253Den_US%2Csignature%3DgqJ53erzurnmO1SPLDK1gLwh9%2FUP6rGUwGF2uZUAAAABAAAAAFwPv8dyYXcAAAAAAsF6s-obfie4v1Ep9rqj

in my history and worrying that secure information might be passed in a URL somewhere.

I am aware that this makes it easier to impersonate my identity, and I'm mostly interested in the leakage of information via the URL itself.

I have a general interest, but this is motivated by a test project I'm running.

Answer 1

Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.

And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.

So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.

By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:

https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html

That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.

Here is OWASP's official page on this vulnerability:

The parameter values for 'user', 'authz_token', and 'expire' will be exposed in the following locations when using HTTP or HTTPS:

Referer
Header
Web Logs
Shared Systems
Browser History
Browser Cache
Shoulder Surfing

Answer 2

Quite a bit actually:

• Extortion based off content
• Mapping systems that are not public
• Sensitive parameters in certain requests
• Personal information

Extortion

That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.

Mapping systems that are not public

How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.

Sensitive parameters in certain requests

If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.

Personal information

I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?

Answer 3

One of the threats I'd like to mention that has not been named yet is de-anonymization.

The URIs in your history could leak information about your user accounts on different sites - for instance if you constantly check your own profile on social media sites. If you use some web services anonymously and others under your real name (Facebook, Twitter) an adversary can very easily de-anonymize and dox you. That can be especially damning for you if you appear on a platform anonymously and want it to stay that way (dating platforms, file sharing platforms, free speech platforms).

Data on the internet also has the tendency to be there for a long time, so this threat is very persistent.

Answer 4

I'll try my hand at this one... Keep in mind that there is a difference between 'all possible' and 'targeted attacks'. With that in mind, I'd break up the attack types into at least two categories: cyber and behavioral. They can be derived from one another but are inherently different in nature.

Cyber threats to someone having access to your URLs:

• HTTP POST/GET Variables -- If a particular website practices poor security standards like including sensitive personally identifiable information or secrets (passwords) in reversible or plaintext methods, this is probably the most apparent--but as I said in @schroeder's answer comments, you'd have to evaluate each URL as https://someco.com/sub1/?var1=something;var2=somethingelse might be securely written but http://someco.com/sub2/var1=something;var2=secrets. This is because most large web presences have a small army of web developers working on their front-end, back-end, and everything in between. Where there is a lack of standards in each org (which is never known to us, end-users) one part of a page may be worse off than others.

• While session data also has interesting information, it cannot be gleaned from URLs alone. So while interesting from a host-compromise scenario, it's not applicable here which is why I asked for scope of the question in my original comment.

Cyber+Behavioral threats to someone having access to your URLs

• Personal Weaknesses: What sites you frequent indicates social patterns: likes/dislikes, politics, health, wealth, etc. e.g.: If an attacker is targeting you for exploitation and knows you're visiting debt consolidation sites, they might offer you financial help in return for favors. If you're frequenting ashleymadison.com and you're married, they might approach you with blackmail to not out you to your spouse. I don't mean this to be offensive but assuming you're un-blackmailable is rather naive. This information can also allow the attacker(s) to cater attacks to you, in the case of spearfishing. e.g. If the attacker(s) know you visit fidelity.com, yahoo.com, bankofamerica.com, receiving a spoofed email from one of those domains may yield better results on opening email->attachment, or clicking link rather than if it came from xyz.com or S0m3rand0mD0main.ru.

• Personal Habits: If you're a creature of habit (as most people are), over time, they can see the times of the day you're connected to the Internet and potentially from what device(s) and what location(s). If the attacker is targeting your house, they can derive when you work, when you're home, and how erratic a confidence-level is in predicting where you'll be tomorrow or the next day.

Answer 5

To add to the post about information leakage in URL:

An attacker that has this may:

1: Extract what sites you use to try and log into to see if you are using the same creds [assumes attacker has captured a cred]

2: This info grants much more advanced knowledge for creating phishing attacks EX: "you've been selected to screen the new MLP season [whatever]"

3: Possible physical tracking based on sites "oh their kid goes to "little gals daycare" because I see them log into to pay that bill"

Could be more depending on what's in there.

Answer 6

Having your browsing history exposed means the attacker has in possession the list of URLs your browser has accessed. From a complex URL an attacker can identify this information:

1. Protocol
2. Subdomain
3. Domain
4. Port
5. Path
6. Parameters of a query
7. Fragment

Now, your privacy depends on the way the developer has built the site.

If you logged in on a website that has an URL like this:

www.example.com/?login=**myusers**&password=**mypassword**

then the attacker has your credentials for that site.

Some of possible attacks would be:

1. SQL injection
2. URL manipulation
3. Directory traversal
4. Identify theft

In simple words, your privacy/risk depends on the security level the site has.

Answer 7

In the case of a dedicated attacker specifically targeting you, they might identify some small, weakly protected amateur website you frequent and your username on it, and break into the site in the hope of finding a password that you reuse elsewhere, or stealing some other sensitive data; maybe even actively create blackmailable content using your account.

In the more likely case where the attacker is using some automated tool to analyze the web history of many people, it's what others have said - mapping intrawebs and maybe finding login information for incompetently written websites.

Answer 8

I think there's also another whole layer of attack which may come from his own level of security awareness and behavior. If he, for instance, reuses passwords, anything he can access using that password could be leaked/accessed/whatever. If you don't now specifically what's IN the web browsing history, and you can't contextualize it within his actual usage patterns and behaviors, you can't really assess the exposure.

His question--what attacks are potentially exposed by releasing browsing history--fundametnally is the wrong question. The answer is the same as "what attacks are possible from any information exposure" -- and the answer is that it depends on what that information actually is. The fact that it's web browsing history only limits the size of what information is potentially exposed, not any implication or value of that data.

From a risk standpoint, applying a control like "erasing my browsing history" regularly does a great deal to eliminate the unknowns. In the context of his project of posting his web browsing history, the right thing to do might be to eliminate anything after a question mark or hashmark from what gets published -- then, it's largely going to be a timestamped traffic pattern, rather than a content pattern.