Using CSS visited to steal your history

2013.05.06
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

I guess this may be somewhat amusing... As you probably know, most browser vendors have fixed the ability to enumerate your browsing history through the CSS :visited pseudo-selector. The fix severely constraints the styling possible for visited links, and hides it from APIs such as window.getComputedStyle() [1]. The fix does not prevent attackers from extracting similar information through cache timing [2], or by examining onerror / onload events for scripts and images loaded from sites to which you may be logged in. Nevertheless, the :visited attack is particularly versatile and reliable, so several people have tried to circumvent the fix by showing the user a set of hyperlinked snippets of text that, depending on the browsing history, will blend with the background or remain visible on the screen. Their visibility can be then indirectly measured by seeing how the user interacts with the page. The problem with these attacks is that they are either unrealistic, or extremely low-throughput. So, here is a slightly more interesting entry for this contest. The PoC works in Chrome and Firefox, but should be easily portable to other browsers: http://lcamtuf.coredump.cx/yahh/ The basic idea behind this inferior clone of Asteroids is that we hurl a lot of link-based "asteroids" toward your spaceship, but you only see (and take down) the ones that correspond to the sites you have visited. There are several tricks to maintain immersion, including some proportion of "real" asteroids that the application is sure are visible to you. The approach is easily scalable to hundreds or thousands of URLs that can be tested very quickly, as discussed here: http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-fun-with-css.html Captain Obvious signing off, /mz [1] https://developer.mozilla.org/en-US/docs/CSS/:visited [2] http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html

References:

https://developer.mozilla.org/en-US/docs/CSS/:visited
http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html
http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-fun-with-css.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top