Tracking your Browser History, with CSS

  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

A rather scary experiment for anyone who values their privacy.

http://www.making-the-web.com/misc/site ... isit/nojs/

It actually works pretty simply - it is simpler than the JS implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The background image will log the information, and then store it (and, in this case, it is displayed to you).

I noticed Ozzu pretty high up in the list of websites I've visited on the example, I wonder which one of you guys put this little experiment together. ;)
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

Scary stuff! I wonder where they got that incredibly huge list of sites from - it even found some relatively obscure sites in my history.
  • George L.
  • Bronze Member
  • Bronze Member
  • George L.
  • Posts: 2209
  • Loc: Malaysia

Post 3+ Months Ago

I am a bit, but slow at this. What exactly happens when I visit the site? I kept hearing "click.. click.. click.." is my history folder being (IE) recorded"?
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

George L. wrote:
What exactly happens when I visit the site? I kept hearing "click.. click.. click.." is my history folder being (IE) recorded"?

The way it works is actually quite simple, (an amazing idea nevertheless) as explained on the site and quoted by joe. Basically there's a page with lots of links to common websites, and if a link is already visited, it loads a special "background image" using CSS, which is actually a server-side script that updates a page containing your list of visited websites. The "click" that you hear is IE reloading this page periodically.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Quote:
is my history folder being (IE) recorded"?


Technically, no.

If you've ever played the card game "Go Fish" as a kid, this works on the same idea.
Basically the attacker would know things that could be in your history folder and your browser inadvertently says yes or no each time the attacker asks "Have you been to this address?".
  • George L.
  • Bronze Member
  • Bronze Member
  • George L.
  • Posts: 2209
  • Loc: Malaysia

Post 3+ Months Ago

What is the purpose of the attacker knowing the websites I have been to?

Thanks, Joe, it is clearer now.

Thanks, Casablanca.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Quote:
What is the purpose of the attacker knowing the websites I have been to?


I have no idea.

A few things I would use this for though,
1) Screening non-browser based bot traffic
2) Another confirmation as to whether a visitor actually visited a TOS when they claim not to have
3) To see if visitors have already visited my competitors

I'm sure I could think of more.
  • George L.
  • Bronze Member
  • Bronze Member
  • George L.
  • Posts: 2209
  • Loc: Malaysia

Post 3+ Months Ago

You are right, Joe. It is Privacy intrusion, sort of like.
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

Being just a demo, I don't think it has immediate implications, but it just goes to show how "secure" our browsers are.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Quote:
Being just a demo, I don't think it has immediate implications


How would you feel if I used this trick to find out if you've been shopping around at my competitors site already, and if you have, make a request in the background to find out what that competitor is currently charging and cut the price by 5% ? Now how would you feel if you were my competitor ?

What if I determined that you frequently visit a competitors site, and started showing you different watered-down content because of that ?
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

Well, it definitely is a breach of privacy, but I'd say it's about the same as Google reading your mail to deliver relevant ads. In any case, it's for the corporates to bother about, and I doubt they will implement something like this anytime soon.
  • George L.
  • Bronze Member
  • Bronze Member
  • George L.
  • Posts: 2209
  • Loc: Malaysia

Post 3+ Months Ago

casablanca wrote:
Well, it definitely is a breach of privacy, but I'd say it's about the same as Google reading your mail to deliver relevant ads. In any case, it's for the corporates to bother about, and I doubt they will implement something like this anytime soon.


Wait a sec., about google-reading-your-mail stuff, I think there is a way this could be done by some programs which it read and outcast without storing your information. I am not sure.

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 6 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.