Browser History File Hijack

Forum Moderators: phranque

Message Too Old, No Replies

Browser History File Hijack

engine

3:52 pm on Dec 2, 2010 (gmt 0)

Browser History File Hijack [bbc.co.uk]

A survey of 50,000 of the web's most visited websites by the team from UC San Diego found 485 sites using this method to get at browser histories, 63 were copying the data it reveals and 46 were found to be "hijacking" a user's history.

"Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows," wrote the researchers.

The researchers pointed out that some modern browsers, such as Chrome and Safari, are not vulnerable to history hijacking and that the most recent version of Mozilla has closed the loophole. Users of Internet Explorer can defeat the bug by turning on "private browsing".

frontpage

4:31 pm on Dec 2, 2010 (gmt 0)

Interesting Findings:

1) "when a user clicks on a link, there is a clear visual cue that information is being
sent over the network – the target of the link will know that the user has clicked.

However, when we list clicking as being tracked covertly, we mean that there is an additional event-handler that tracks the click, and sends information about the click to another server. google is known for doing this: when a user clicks on a link on the search page, the click is recorded by google through an event handler, without any visual cue that this is happening"

2) Of the 115 sites on which the filtered flow were reported, we found that 7 used a behavior tracking software product developed by tynt to track what is copied off the sites.

3) "While investigating several sites that installed event handlers, we also found that the huffingtonpost site exhibits suspicious behavior."

brotherhood of LAN

5:19 pm on Dec 2, 2010 (gmt 0)

Interesting find. 1% of the 50K most visited sites. Clickileaks, anyone?

herb

5:38 pm on Dec 2, 2010 (gmt 0)

An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications

[cseweb.ucsd.edu...]

While investigating several sites that installed event handlers, we also found that the huffingtonpost.com site exhibits suspicious behavior. In particular, every article on the site's front page has an onmouse-over event handler. These handlers collect in a global data structure information about what articles the mouse passes over. We consider this case to be suspicious because not only is the infrastructure present, but it in fact collects the information locally.

henry0

6:15 pm on Dec 2, 2010 (gmt 0)

And Smart Phones?

httpwebwitch

8:18 pm on Dec 2, 2010 (gmt 0)

With a few mouse event handlers and a little AJAX, recording behaviour of users on your page is trivial. Testing a given list of sites against user's history is easy - the CSS/Javascript trick that enables it has been known for a couple of years, at least.

Note that this hack can't return your entire browsing history. What it can do is tell whether a particular URL is in your browser's history.

You can glean quite a lot of insight from just a few "hits" if you query the history creatively. It depends what you want to find out about your visitors.

Once that information is received at the server, your web experience can be tailored to your browsing habits.

Tracking clicks makes sense; why would someone not do that. Tracking mouseovers... not as much. I don't consider tracking mouse events to be privacy violations, though it is a bit creepy.

Sgt_Kickaxe

11:17 pm on Dec 2, 2010 (gmt 0)

Some "reputable" companies are doing the same under the guise of doing "wholesome" things with it, but it all adds to someone's bottom line (not the visitor) and so is all the same. Browsers should ban any entity that attempts to retrieve visitor history, it's nobody's business but your own.