PDA

View Full Version : Warning: browser history sniffing!



lovinglinux
December 4th, 2010, 02:43 PM
Several sites are exploiting a well known browser vulnerability, which allows the to sniff what other sites you have visited, by checking the color of the hyperlinks rendered by your browser.

http://blogs.forbes.com/kashmirhill/2010/11/30/history-sniffing-how-youporn-checks-what-other-porn-sites-youve-visited-and-ad-networks-test-the-quality-of-their-data/

Don't believe it? Test it here (http://startpanic.com/).

I have tested a few browser versions. Chrome 7.0.517.44 and Firefox 4.0b8pre are immune. Firefox 3.6.12 and Opera 11.0 beta are not. In Opera however, you can set opera:config#VisitedLink|VisitedLinksState (opera:config#Visited%20Links%20State), to 0 or 1 to fix the problem. First disables the link state and the second limit it to the same domain.

In Firefox 3.6.12 I suppose you can avoid the issue with NoScript.

Spice Weasel
December 4th, 2010, 02:49 PM
Turn off saving history until this is fixed, and just use bookmarks if you want to remember a page you visited. That's the only way around it. ;)

I'm surprised this vulnerability hasn't been exploited before.

Oxwivi
December 4th, 2010, 03:04 PM
I don't use history or bookmarks. :D

jshepherd
December 4th, 2010, 06:55 PM
Just tested mine - only history found was the link to the test.
I'm using Chromium.

koenn
December 4th, 2010, 07:17 PM
strange that they're so concerned about privacy, and then have this too:

Moreover, you can send your friend a special link via Startpanic.com mailing system. When your friend clicks it, you will receive the list of websites he has visited recently.

wilee-nilee
December 4th, 2010, 07:31 PM
It don't got nothing on me, noscript, ghostery better privacy no history saved FF 3.6.12 other addons as well but youpron isn't a place I go. I also use bleachbit daily, all I'm trying to hide is any CC used on amazon for books.

The Real Dave
December 4th, 2010, 07:47 PM
Firefox 4 Beta 7 seems fine.

I hadn't thought someone could exploit that. Still, anyone using a low power/old machine like me should notice the sudden spike in CPU usage.

sydbat
December 4th, 2010, 07:58 PM
It don't got nothing on me, noscript, ghostery better privacy no history saved FF 3.6.12 other addons as well but youpron isn't a place I go. I also use bleachbit daily, all I'm trying to hide is any CC used on amazon for books.Nothing from me either. Similar set up. Of course if one was using IE...

CharlesA
December 4th, 2010, 08:13 PM
The script caused my browser to stop responding, at which point, I selected "stop script"

O_o

chriswyatt
December 4th, 2010, 08:17 PM
I'm using Firefox Beta 7 and it found nothing, zilch. :)

ssam
December 4th, 2010, 08:18 PM
noscript stops it on firefox 3

MacUntu
December 4th, 2010, 08:28 PM
Why would I want to make it harder for porn sites to recommend similar porn sites? :confused:

*justkidding*

wilee-nilee
December 4th, 2010, 09:09 PM
Why would I want to make it harder for porn sites to recommend similar porn sites? :confused:

*justkidding*
:-\":-\":-\"

alexan
December 4th, 2010, 09:15 PM
SRWare Iron (chromium build 7.0.520.0): nothing found

Opera 11.00 (beta): 4 link found

results:
sudo apt-get autoremove opera -y

Frogs Hair
December 4th, 2010, 10:26 PM
Strange , it only detects if I allow scripts for that page . A test or a new way fish ?

BigCityCat
December 4th, 2010, 10:39 PM
The tab says warning browser history sniffing in firefox 4 beta.

Dustin2128
December 4th, 2010, 11:15 PM
hooray for me running ffox 4.0b8pre.

handy
December 5th, 2010, 12:06 AM
Nothing found with Firefox 3.6.12, using NoScript, BeefTaco, BetterPrivacy & Greasemonkey with the googlePrivacy script (which is apparently a safer & more functional tool than GoogleSharing, you can view the script too).

I know, NoScript is all that is applicable for this test. :)

gradinaruvasile
December 5th, 2010, 12:18 AM
Several sites are exploiting a well known browser vulnerability, which allows the to sniff what other sites you have visited, by checking the color of the hyperlinks rendered by your browser.

http://blogs.forbes.com/kashmirhill/2010/11/30/history-sniffing-how-youporn-checks-what-other-porn-sites-youve-visited-and-ad-networks-test-the-quality-of-their-data/

Don't believe it? Test it here (http://startpanic.com/).

I have tested a few browser versions. Chrome 7.0.517.44 and Firefox 4.0b8pre are immune. Firefox 3.6.12 and Opera 11.0 beta are not. In Opera however, you can set opera:config#VisitedLink|VisitedLinksState (opera:config#Visited%20Links%20State), to 0 or 1 to fix the problem. First disables the link state and the second limit it to the same domain.

In Firefox 3.6.12 I suppose you can avoid the issue with NoScript.

I use Opera 11 beta. How is this suppposed to work? I click on the check button and there is no history displayed (with the default settings).

lovinglinux
December 5th, 2010, 12:29 AM
I use Opera 11 beta. How is this suppposed to work? I click on the check button and there is no history displayed (with the default settings).

As far as I understand, it needs to actively check if you have visited a particular link. So perhaps the test didn't check for any sites you have on your history.

heldal
December 7th, 2010, 11:43 AM
It don't got nothing on me, noscript, ghostery better privacy no history saved FF 3.6.12 other addons as well but youpron isn't a place I go. I also use bleachbit daily, all I'm trying to hide is any CC used on amazon for books.

Noscript is nice, but beware wrt Ghostery. It has been aquired by a commercial enterprise (Better Advertising) and reports its activities (blocked elements) to them. I.e parts of your browsing activities is logged by B.A.

Evil-Ernie
December 7th, 2010, 11:52 AM
Mine smells like ripe cheese...

handy
December 8th, 2010, 12:36 AM
Noscript is nice, but beware wrt Ghostery. It has been aquired by a commercial enterprise (Better Advertising) and reports its activities (blocked elements) to them. I.e parts of your browsing activities is logged by B.A.

That caused me to dump Ghostery.

I use Greasemonkey which allows me to use the googlePrivacy script. This script does more than Ghostery & it is available for inspection when you install it, so I know a lot of eyes that are far more knowledgeable than I am have perused the script.

kaldor
December 8th, 2010, 01:04 AM
All clear on Iceweasel Beta 7.

Same with Google Chrome 9.0.570.1 dev.

What's all the fuss about?

0per4t0r
December 8th, 2010, 01:15 AM
Doesn't really concern me, as i have a strange habit to press ctrl+shift+del every few seconds..

Quadunit404
December 8th, 2010, 01:18 AM
Noscript is nice, but beware wrt Ghostery. It has been aquired by a commercial enterprise (Better Advertising) and reports its activities (blocked elements) to them. I.e parts of your browsing activities is logged by B.A.

Ghostery doesn't track blocked elements and report them to Better Advertising unless you opt in to GhostNet or whatever it's called. It's disabled by default.

MasterNetra
December 8th, 2010, 01:52 AM
My history isn'remembered so it found nothing from me on firefox. ;)

handy
December 8th, 2010, 01:57 AM
My history isn'remembered so it found nothing from me on firefox. ;)

Both Firefox & I share the same situation re. memory, though in Firefox I set it that way. As far as my own memory is concerned, I guess I just have to blame it on the cumulative effects of age & injury...

cgroza
December 8th, 2010, 03:14 AM
The script caused my browser to stop responding, at which point, I selected "stop script"

O_o
The script made my broser crawl. Switching tabs took forever. It found the only 12 sites I visit every day but not facebook.