4

I have read this article on how a scripted web page is able to obtain the visited history of a user browsing the page. However, I can't find any clear information in the article describing the extent of who or what can access the user's browser history.

By using a script that tests for differences between visited and unvisited links for a given url, an attacker is able to learn which sites have been visited or not.

But who would be the attacker? The web site hosting the web page with the history sniffer script? A third party (i.e., another web site in addition to or instead of the hosting web site?)? Additionally, if a third party has access, does this mean all other subsequent visited sites down the road have this access?

2 Answers2

3

CSS history leak is now fixed by http://dbaron.org/mozilla/visited-privacy So to answer the question in the subject: negligible (just very outdated browsers, probably some <10%). However, history leaks are still the case.

For the descriptions of real risks of history leaks here: http://w2spconf.com/2010/papers/p26.pdf and http://petsymposium.org/2012/papers/hotpets12-4-johnny.pdf

Although CSS hack are solved, you must remember histories might leak due to multitude of channels: interactive techniques: http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010.pdf (can be now greatly simplified and improved) or timing analyses (a classic paper here http://selfsecurity.org/technotes/websec/webtiming.pdf; now practical approach would be much more effective, see also references in previous papers).

The attackers can be: visited sites (so all 3rd-party scripts as well and yes, it can be used to track users also using other techniques then the ones discussed above).

It was also maliciously exploited by at least several sites http://cseweb.ucsd.edu/~d1jang/papers/ccs10.pdf

The references in these papers are also informative.

lkk
  • 77
  • 1
  • 1
1

Theoretically a hacker could use an Cross Site Scripting attack (aka an XSS attack) on some webpages that don't sanitise user input correctly - a comments box is often a vulnerable item on a webpage. This is one way an attacker could run code like this on a vulnerable website

An XSS attack works somewhat like this:

Since the attacker can write anything and it will be displayed on the webpage, if the website doesn't properly sanitise input (e.g: not allowing HTML tags), an attacker could run his own JavaScript on the victim's machine. This could be used to check visited sites using this.

Preventing XSS attacks can prove to be difficult, look up the Samy worm for an example and check out his explanation.

  • CSS history leak has nothing to do with XSS attacks. –  Sep 03 '13 at 08:11
  • The OP asked how the attacker could implement such an attack, and you could use XSS for that –  Sep 03 '13 at 12:58
  • Not really. XSS could potentially be used but (1) CSS hack is now obsolete (2) it would be very complicated [although possible] to launch in practice. Current attacks such as (say) timing analyses are virtually almost impossible to launch via XSS. In summary, XSS is not a vector here. –  Sep 03 '13 at 15:23