Stealing browser history without JavaScript
Anon Mus
my.green.lantern at googlemail.com
Sun Jun 14 21:34:32 UTC 2009
Zinco wrote:
> -----Original Message-----
> From: owner-or-talk at freehaven.net [mailto:owner-or-talk at freehaven.net] On
> Behalf Of Anon Mus
> Sent: Sunday, June 14, 2009 8:09 AM
> To: or-talk at freehaven.net
> Subject: Re: Stealing browser history without JavaScript
>
> Matej Kovacic wrote:
>
>> Hi,
>>
>> this seems an interesting issue:
>>
>> http://www.making-the-web.com/misc/sites-you-visit/nojs/
>>
>> bye, Matej
>>
>>
>>
> Been to this site and it dont work on my firefox.3.0.8 browser... (with
> NoScript, QuickJava, Better Privacy, JavaScript Deobfuscator, Quick
> Preference Button & User Agent Switcher)
>
> it replies with a 0 (zero) count. But there should be dozens.
>
> Seems to me it would have to have all websites known to man on the page it
> loads. If it looks at "visited links" css on the page it loads it could
> only look at websites on that page. It would have to store a lot of web
> pages on that hidden i-frame to really compare. Unless you are looking to
> see if a particular person visited a particular page doesn't seem like it
> would do anyone much good.
>
>
>
Maybe IFrames don't work on Firefox. The pages IFrame message "Please
enable Iframes, though" is superfluous, as it only prints if IFrames is
functional !!
Reminds me of a security software con site years ago which would print
some detail value known only to your browser, up on a web page. Of
course, only YOU could see it, no data was sent to the visited web site.
Even though it was a con, lots of people bought the security software
to protect themselves from that non-existent leak.
In this IFrames exploit the test web page is said to have a css
background image embedded in it. I can find no such image (background:
#003399;).
(See http://www.w3schools.com/css/pr_background.asp.)
The only image on the page is a javascript button. But there is a
javascript dependent Google Analytics urchin tracker.
Would the author Brendon Bo[mb]shell like to identify him/her self?
More information about the tor-talk
mailing list