NOTICE:
This content is in the "archives" of Gadgetopia. It has been moved to this subdomain as it is no longer considered relevant to the site. It is being hosted here for a indeterminate period of time. Its existence at this URL is not guaranteed, and it may be removed at any time. If you would like to refer to this content in the future, you are encouraged to save it to your local file system.

Start Panic

Originally published by "dbarker" on 2009-04-24 14:53:00Z

Start Panicking!: Think your browsing history is secure? It’s not.

Go here, and press the button.

If someone knows how they’re doing this, do tell.

Comment by "Lewis" on 2009-04-24 16:15:00Z
I've not looked at the code (yet) but I suspect they're putting links in the DOM and then checking their colour via CSS. It works because browsers change the link colours for websites that you've previously visited.
Comment by "Lewis" on 2009-04-24 16:19:00Z
Yep, a quick look at the code shows: p.doc.write("a{color: #000000; display:none;}"); p.doc.write("a:visited {color: #FF0000; display:inline;}"); So it's only showing websites that have been visited. It also explains why they only seem to be top level domains it finds, and all reasonably popular. Still it's quite impressive how many it can find (it must have a huge database of domains).
Comment by "Mike Flynn" on 2009-04-24 08:33:00Z
That is damn clever!
Comment by "Josh" on 2009-04-25 06:27:00Z
Their db contains 100,000 entries: [http://startpanic.com/db/db_en.txt](http://startpanic.com/db/db_en.txt) (1.4M) Neat trick!
Comment by "jonathan peterson" on 2009-04-29 13:50:00Z
javascript running on MY machine can find my visited history. it's not like this is serverside technology. clever, but not a security issue.
Comment by "Slobodan Kovacevic" on 2009-04-30 17:39:00Z
@jonathan It isn't a server side script, but it doesn't mean it's not a security issue. Script posts its results to server, effectively notifying server about sites you've visited.
Comment by "jcg" on 2009-05-06 14:59:00Z
not too worried about it. using NoScript, so nothing happened until i let it run.
Comment by "Joseph Marlin" on 2009-05-06 15:14:00Z
I wouldn't be too fast to dismiss this as minor. @jcg: That's good, and I use NoScript too, but what about all the people who don't? @jonathan: Imagine a less-than-ethical business which would utilize this idea, coupled with a targeted database to determine browsing habits of their customers. Imagine advertisers using this as spyware. Yes it is client-side, but it doesn't require any user input to run, and the results could easily be sent back to a database, as Slobodan pointed out. There are many nasty uses for this, if you put your mind to it.
Comment by "brandon c" on 2009-05-06 06:41:00Z
noscript alone won't protect you; you can load remote images in css without the help of javascript ("background: url('http://www.example.com/www.yahoo.com');")
Comment by "brandon c" on 2009-05-06 06:43:00Z
also see: [http://ha.ckers.org/weird/CSS-history.cgi](http://ha.ckers.org/weird/CSS-history.cgi) for some people who were doing this 2.5 years ago
Comment by "willis" on 2009-05-07 16:35:00Z
As some security experts have pointed out, this is good for determining if a particular CSRF may be appropriate for the visitor. I'm thinking it wouldn't be difficult to load some hidden images from other sites (bankofamerica.com/global/images/new_Banklogo.gif) and find the load time to determine if it was cached and displayed versus downloaded and displayed.
Comment by "Pete" on 2009-05-18 11:35:00Z
There's a better version at [http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php](http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php) - a lot faster and doesn't make my browser hang like SP does
Comment by "Jos" on 2010-11-10 17:03:00Z
So, does the above link that Pete so kindly posted find the history of the browser? My Chrome history page does that.