[tor-talk] New HTTP authorization attack
tor at lists.grepular.com
tor at lists.grepular.com
Mon Aug 22 19:49:37 UTC 2011
On 22/08/11 20:08, stringer at hushmail.me wrote:
> "The JonDoFox research team has uncovered a new attack on web
> browsers: Affected are the web browsers Firefox, Chrome and Safari.
> By a hidden call over of a URL with HTTP authentication data, third
> party sites could track a user over several web sites, even if the
> user blocks all cookies and other tracking procedures. For doing
> this, it is sufficient to include a simple CSS file:
> <link rel="stylesheet" type="text/css"
> "http://Session:638431048@ipcheck.info/auth.css.php">
FWIW, there are many ways to track a browser cross-site and across
restarts, even if you have javascript and cookies and flash cookies
disabled. I recently blogged about a bunch of them which abuse the
browser cache here:
https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110822/9ae3d0ea/attachment.pgp>
More information about the tor-talk
mailing list