Stealing browser history without JavaScript

Anon Mus at
Sun Jun 14 21:34:32 UTC 2009

Zinco wrote:
> -----Original Message-----
> From: owner-or-talk at [mailto:owner-or-talk at] On
> Behalf Of Anon Mus
> Sent: Sunday, June 14, 2009 8:09 AM
> To: or-talk at
> Subject: Re: Stealing browser history without JavaScript
> Matej Kovacic wrote:
>> Hi,
>> this seems an interesting issue:
>> bye, Matej
> Been to this site and it dont work on my firefox.3.0.8 browser... (with 
> NoScript, QuickJava, Better Privacy, JavaScript Deobfuscator, Quick 
> Preference Button & User Agent Switcher)
> it replies with a 0 (zero) count. But there should be dozens.
> Seems to me it would have to have all websites known to man on the page it
> loads.  If it looks at "visited links" css on the page it loads it could
> only look at websites on that page.  It would have to store a lot of web
> pages on that hidden i-frame to really compare.  Unless you are looking to
> see if a particular person visited a particular page doesn't seem like it
> would do anyone much good.
Maybe IFrames don't work on Firefox. The pages IFrame message "Please 
enable Iframes, though" is superfluous, as it only prints if IFrames is 
functional !!

Reminds me of a security software con site years ago which would print 
some detail value known only to your browser, up on a web page. Of 
course, only YOU could see it, no data was sent to the visited web site.

Even though it was a con,  lots of people bought the security software 
to protect themselves from that non-existent leak.

In this IFrames exploit the test web page is said to have a css 
background image embedded in it. I can find no such image (background: 

The only image on the page is a javascript button. But there is a 
javascript dependent Google Analytics urchin tracker.

Would the author Brendon Bo[mb]shell like to identify him/her self?

More information about the tor-talk mailing list