[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New HTTP authorization attack



On 22/08/11 20:08, stringer@xxxxxxxxxxx wrote:

> "The JonDoFox research team has uncovered a new attack on web 
> browsers: Affected are the web browsers Firefox, Chrome and Safari. 
> By a hidden call over of a URL with HTTP authentication data, third 
> party sites could track a user over several web sites, even if the 
> user blocks all cookies and other tracking procedures. For doing 
> this, it is sufficient to include a simple CSS file:
> <link rel="stylesheet" type="text/css" 
> "http://Session:638431048@xxxxxxxxxxxx/auth.css.php";>

FWIW, there are many ways to track a browser cross-site and across
restarts, even if you have javascript and cookies and flash cookies
disabled. I recently blogged about a bunch of them which abuse the
browser cache here:

https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk