76% Of Users Exposing Their Browsing Histories

Use Netsparker


This is actually a very old flaw as it’s part of the core HTTP standards, it’s exploiting the very way in which the Internet works. Basically most browsers expose browsing history if probed in the right way, the fact was that it was just too resource intensive to get any useful data.

Someone has refined the attack using the top 5000 most popular sites, then pulling specific URL data when it gets positive responses on those. With this technique giving them the ability to scan up to 30,000 URLs a second…as soon as you land on the site they can pull the data. I wonder if anyone will start exploiting this to serve more relevant content/ads to users.

It’s pretty neat actually, check it out here:

http://whattheinternetknowsaboutyou.com/

The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they’ve read and the Zip Codes they’ve entered into online forms.

According to results collected from more than 271,000 visits to a site called What the internet knows about you, 76 percent of users exposed their browser histories, with the proportion of those using Apple’s Safari and Google Chrome browsers even higher. Surprisingly, the percentage was also higher among browsers that turned off JavaScript.

While the underlying browser history disclosure vulnerability was disclosed a decade ago, researchers on Thursday disclosed a variety of techniques that make attacks much more efficient. Among other things, the researchers described an algorithm that can scan as many as 30,000 links per second. That makes it possible for webmasters to stealthily gobble up huge amounts of information within seconds of someone visiting their site.

It correctly identified 11 major sites which I have visited recently and actually displayed the exact Wikipedia pages I’ve visited in the past. They’ve also extended the attack even further to get people’s ZIP codes from sites which utilize it (Weather & Movie sites for example).

Plus some other sites I’ve visited (Twitter, Google sites, Archive.org, Speedtest.net etc).

It’s still limited in scope as stated by the researchers, but once again it’s a nice extension of an old attack which yields a lot more accurate data.

What’s more, the researchers showed how webmasters can launch attacks that detect Zip Codes entered into weather or movie listings sites, find search terms entered into Google and Bing, and discover specific articles viewed on Wikileaks and dozens of popular news sites.

“While limited in scope due to resource limitations, our results indicate that history detection can be practically used to uncover private, user-supplied information from certain web forms for a considerable number of internet users and can lead to targeted attacks against the users of particular websites,” the researchers, Artur Janc and Lukasz Olejnik, wrote.

The results, presented at the Web 2.0 Security and Privacy conference in Oakland, California, are the latest convincing evidence that anonymity on the net is largely a myth. Separate research released earlier this week showed that 84 percent of browser users leave digital fingerprints that can uniquely identify them. It stands to reason that attacks that combine both methods could unearth even more information most presume is private.

Last month, Mozilla said it would add protections to its upcoming Firefox 4 that would plug the gaping information disclosure vulnerability, which is known to plague every major browser. Most browser publishers, Microsoft included, have offered a variety of workarounds, but have said fixing the weakness will be extremely difficult because it’s at the core of the HTTP standard.

It can also parse out from RSS feeds on news sites to probe for articles you might have recently read if it has already discovered that you have visited the main URL.

We’ll have to see how Mozilla attempts to address this in Firefox 4 and if it really works.

Many more details are available in a PDF of their report, which you can grab here: p26.pdf

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


6 Responses to 76% Of Users Exposing Their Browsing Histories

  1. CBRP1R8 May 21, 2010 at 7:35 pm #

    hehe I use Firefox latest version with a few add-on’s …I got a blank screen with done when going to that site…i guess that’s a good thing since the interwebs doesn’t know about me… :D

  2. Honkey May 22, 2010 at 12:05 pm #

    @CBRP1R8, the moment you allow Java Script for a website you are vulnerable.

  3. Honkey May 22, 2010 at 5:14 pm #

    I was wrong, it works without JS. NNScript can protect you though.

    http://www.haveyourfriendsbeenthere.com/

  4. d.l. May 23, 2010 at 12:39 pm #

    Well, FF & NoScript Addon – no History data
    But! SeaMonkey with same NoScript addon – and all access to history. Strange..

  5. Matt May 24, 2010 at 5:05 pm #

    I just wrote a post with a demo of this “vulnerability”. Yet another reason to make sure Firefox deletes all history after you’ve closed your browser. :-)

  6. Chris May 25, 2010 at 4:35 pm #

    You can disable this feature, as it is a subset of CSS.

    In Firefox, go to the address bar, and type

    about:config

    And change the following property:

    Layout.css.visited_links_enabled = FALSE

    No more theft of browsing history :D