Thursday, August 24th, 2006

I Know Where You’ve Been…

Category: JavaScript, Security

Jeremiah Grossman writes in with a downright spooky blog posting:

I updated the blog template to display some proof-of-concept browser history stealing JavaScript code. On the right side column notice the “I know where you’ve been” heading. Below that, if your using Firefox, Mozilla, Netscape or Safari, you should see a bunch of links to websites you’ve been to.

I’d post a screen capture, but, er, I don’t want you to know where I’ve been.

In another demonstration of the technique, a web developer who goes by the moniker “Archiloque” created a neat little grid of images that change their appearance if you have visited certain sites:

Hyperlink History Cubes

Try it out. Neat.

Posted by Ben Galbraith at 2:27 pm
8 Comments

+++--
3.9 rating from 17 votes

8 Comments »

Comments feed TrackBack URI

IE7RC1 blocks it yet FireFox 2.0B1 allows it.. hrm..

Comment by Colin Bowern — August 24, 2006

I could do something similar with just CSS (no JavaScript). First define the following styles:


a.IKnowWhereYouveBeen:visited {
display: block;
}
a.IKnowWhereYouveBeen {
display: none;
}

Next, put each URL in a link tag like so:


<a href="http://www.google.com/" class="IKnowWhereYouveBeen">Google</a>

If the user hasn’t been to Google, the link will be hidden. If the user has been to Google, the link will be displayed. This should work across all CSS-capable browsers whether JavaScript is enabled or not. Put a large list of URLs into this and you would show a user their browsing history.

Of course, the information can’t be transmitted back to the web server without JavaScript, but something like this could be used either as a mild prank or as a trick by a malicious individual. I’m thinking either one of those disreputable “security” vendors who show you file://c:/, tell you that this proves that your files are viewable to anyone and try to sell you software to prevent it or a phisher who might use it to display a fake website depending on what websites the user has viewed in the past. (Not that I’m trying to give them ideas, mind you.)

Comment by Jason Levine — August 24, 2006

Jason,

you could use a different CSS background image (with an appended timestamp to prevent caching) for each url to force a hit on the server.

No Javascript necessary.

Comment by Dietrich Kappe — August 24, 2006

Hmm is this a security threat or just a “feature” ?

Comment by Piotr Jankowski — August 25, 2006

[…] So as I posted yesterday, Ajaxian.com picked up a pretty neat method for seeing what Web sites your users have visited. […]

Pingback by Prototype JavaScript: Ending privacy one visit at a time. » Dude, WTF?! — August 25, 2006

I first thought the same as above posters. You’ve got to know the name of the site to make it visible, and so on. And it is a feature as such, so I don’t think it would be turned off by default. But the negative side behind it is two-fold for me:
First of all, why would anyone be interested in the complete browser history altogether? Imagine any kind of business checking out if you’ve been on rival websites in the last x days (however long you allow your history to be). Let’s say, if I was McDonalds, I’d be interested if you’ve been to Burger King. Or Taco Bell. I don’t care if you went to Home Depot or the 99c store around the corner. And this method makes this information available.
Then, if you were interested in a more general view into the browser history, don’t forget that the concept allows for brute force. Likely addresses, combinations of letters and TLD’s should provide an easy way of generating tons of real and valid URLs. I don’t know how performant JS is on the average machine, but it’d imagine it to be, er, lots.

Comment by Matthias — August 25, 2006

Good point Dietrich. You wouldn’t even need to display any text if you wanted to do it on the sly. A user could have their history “read” like this even if JavaScript was turned off and they wouldn’t even know it happened.

Comment by Jason Levine — August 25, 2006

> Let’s say, if I was McDonalds, I’d be interested if you’ve
> been to Burger King.

Why is that? What value would this information have for McD, how would it affect decisions they make? I am curious.

Comment by Martin — August 26, 2006

Leave a comment

You must be logged in to post a comment.