Thursday, August 24th, 2006
I Know Where You’ve Been…
Category: JavaScript, Security
I updated the blog template to display some proof-of-concept browser history stealing JavaScript code. On the right side column notice the “I know where you’ve been” heading. Below that, if your using Firefox, Mozilla, Netscape or Safari, you should see a bunch of links to websites you’ve been to.
I’d post a screen capture, but, er, I don’t want you to know where I’ve been.
In another demonstration of the technique, a web developer who goes by the moniker “Archiloque” created a neat little grid of images that change their appearance if you have visited certain sites:
Try it out. Neat.
Related Content:
4.3 rating from 12 votes
IE7RC1 blocks it yet FireFox 2.0B1 allows it.. hrm..
I could do something similar with just CSS (no JavaScript). First define the following styles:
a.IKnowWhereYouveBeen:visited {
display: block;
}
a.IKnowWhereYouveBeen {
display: none;
}
Next, put each URL in a link tag like so:
<a href="http://www.google.com/" class="IKnowWhereYouveBeen">Google</a>
If the user hasn’t been to Google, the link will be hidden. If the user has been to Google, the link will be displayed. This should work across all CSS-capable browsers whether JavaScript is enabled or not. Put a large list of URLs into this and you would show a user their browsing history.
Of course, the information can’t be transmitted back to the web server without JavaScript, but something like this could be used either as a mild prank or as a trick by a malicious individual. I’m thinking either one of those disreputable “security” vendors who show you file://c:/, tell you that this proves that your files are viewable to anyone and try to sell you software to prevent it or a phisher who might use it to display a fake website depending on what websites the user has viewed in the past. (Not that I’m trying to give them ideas, mind you.)
Jason,
you could use a different CSS background image (with an appended timestamp to prevent caching) for each url to force a hit on the server.
No Javascript necessary.
Hmm is this a security threat or just a “feature” ?
[...] So as I posted yesterday, Ajaxian.com picked up a pretty neat method for seeing what Web sites your users have visited. [...]
I first thought the same as above posters. You’ve got to know the name of the site to make it visible, and so on. And it is a feature as such, so I don’t think it would be turned off by default. But the negative side behind it is two-fold for me:
First of all, why would anyone be interested in the complete browser history altogether? Imagine any kind of business checking out if you’ve been on rival websites in the last x days (however long you allow your history to be). Let’s say, if I was McDonalds, I’d be interested if you’ve been to Burger King. Or Taco Bell. I don’t care if you went to Home Depot or the 99c store around the corner. And this method makes this information available.
Then, if you were interested in a more general view into the browser history, don’t forget that the concept allows for brute force. Likely addresses, combinations of letters and TLD’s should provide an easy way of generating tons of real and valid URLs. I don’t know how performant JS is on the average machine, but it’d imagine it to be, er, lots.
Good point Dietrich. You wouldn’t even need to display any text if you wanted to do it on the sly. A user could have their history “read” like this even if JavaScript was turned off and they wouldn’t even know it happened.
> Let’s say, if I was McDonalds, I’d be interested if you’ve
> been to Burger King.
Why is that? What value would this information have for McD, how would it affect decisions they make? I am curious.