Wednesday, June 25, 2014

History Theft With CSS Boolean Algebra

Michal Zalewski (via Hacker News):

Up until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive :visited pseudo-class, rendering thousands of interesting URLs off-screen, and then calling the getComputedStyle API to figure out which pages appear in your browser's history.

After some deliberation, browser vendors have closed this loophole by disallowing almost all attributes in :visited selectors, spare for the ability to alter text, foreground, and background colors for such links. The APIs have been also redesigned to prevent the disclosure of this color information via getComputedStyle.

This workaround did not fully eliminate the ability to probe your browsing history, but limited it to scenarios where the user can be tricked into unwittingly feeding the style information back to the website, disclosing information about one URL at a time. Several fairly convincing attack vectors have been demonstrated - my own entry can be found here - but they generally require roughly one click per every visited URL. In other words, the whole thing doesn't scale particularly well.

The practicality of such CSS-based history snooping attacks could be improved greatly if we had a way to design an n-to-2n decoder circuit with the styling elements available on visited links.

Comments RSS · Twitter

Leave a Comment