[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Stealing browser history without JavaScript



Zinco wrote:
-----Original Message-----
From: owner-or-talk@xxxxxxxxxxxxx [mailto:owner-or-talk@xxxxxxxxxxxxx] On
Behalf Of Anon Mus
Sent: Sunday, June 14, 2009 8:09 AM
To: or-talk@xxxxxxxxxxxxx
Subject: Re: Stealing browser history without JavaScript

Matej Kovacic wrote:
Hi,

this seems an interesting issue:

http://www.making-the-web.com/misc/sites-you-visit/nojs/

bye, Matej

Been to this site and it dont work on my firefox.3.0.8 browser... (with NoScript, QuickJava, Better Privacy, JavaScript Deobfuscator, Quick Preference Button & User Agent Switcher)

it replies with a 0 (zero) count. But there should be dozens.

Seems to me it would have to have all websites known to man on the page it
loads.  If it looks at "visited links" css on the page it loads it could
only look at websites on that page.  It would have to store a lot of web
pages on that hidden i-frame to really compare.  Unless you are looking to
see if a particular person visited a particular page doesn't seem like it
would do anyone much good.


Maybe IFrames don't work on Firefox. The pages IFrame message "Please enable Iframes, though" is superfluous, as it only prints if IFrames is functional !!

Reminds me of a security software con site years ago which would print some detail value known only to your browser, up on a web page. Of course, only YOU could see it, no data was sent to the visited web site.

Even though it was a con, lots of people bought the security software to protect themselves from that non-existent leak.

In this IFrames exploit the test web page is said to have a css background image embedded in it. I can find no such image (background: #003399;).
(See http://www.w3schools.com/css/pr_background.asp.)

The only image on the page is a javascript button. But there is a javascript dependent Google Analytics urchin tracker.


Would the author Brendon Bo[mb]shell like to identify him/her self?