They Know Where You Browse

Did you realise that for years people have been aware that web sites can detect which pages you’ve previously visited, and this privacy hole is still unpatched in all major browsers? Shocking, eh? Give it a try.

It’s a fiendishly simple information leak. Browsers treat visited links differently, with CSS allowing styling through a:visited, but this gives the game away. By cleverly styling a long list of links to different sites, then detecting this styling with JavaScript, a page can secretly grab your browser history and send it back to the server. Some advertisers must salivate uncontrollably at the mere thought of unleashing such power.

The thing is, there’s no way around it without either abandoning the whole idea of visited links, or disabling/crippling JavaScript (many of those commenting on the Mozilla bug report haven’t fully understood how wide-ranging a fix would need to be). So it’s not so shocking; as happens so often with security issues, we’re accepting a minor problem rather than suffering an inconvenient solution.

Sun 7th Aug 2005, 9:46pm GMT

Filed under: Client-side Coding, Security and Privacy, Software, Web

---

Comments

Comments are now closed for this entry.