Sneakily reading out your browser history

Via Stuart Colville I got a URL that uses a sneaky trick to see where you have been surfing. Jeremiah Grossman shows how you can check for visited sites.

The common complaint of developers who don’t see the security and privacy issues with that is that you can read out the history of the window with JavaScript but you only get the amount of visited sites, not their URLs. With this trick, you can.

The trick is pretty easy: He uses a whole array of sites to check against, writes out a style for visited links to the page, writes out a list of these links and checks their computedStyle color attribute against the colour he set in the style. If it is the same, the page is in cache and has been visited beforehand.

I already commented that it may be more stable if you set a different style to the visited links like display block and a height and read the offsetHeight instead of computedStyle. In any case, it is a clever and worrying trick.

This entry was posted on Monday, August 21st, 2006 at 2:07 pm and is filed under Common Issues, Experiments, General, Odds & Ends, Tips & Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Sneakily reading out your browser history”

  1. mediaFetish Says:
    August 21st, 2006 at 11:29 pm

    Wow. Brilliant approach – never would have thought of that. Very nicely done. That is concerning.

  2. matthijs Says:
    August 22nd, 2006 at 6:30 am

    That’s frightening. So is this something browser makers are aware of? Is it on the buglist? If someone can steal a) my cookies and b) my history, I don’t want to know what can happen if I just visited a webshop to buy some stuff, my bank account to do some financial stuff and my emailaccounts!

    Quite ironic that I ordered your book to learn more about javascript, while at the same time I have started to browse with javascript disabled (with the ff plugin).

    So how can this happen? Are there no limits to what js can do? I mean, cookies, history,.. can everybody read my c: disk as well? And why? Why should js have access to my browser history or whatever else? Isn’t javascript supposed to do something with the html-document I just downloaded, nothing more, nothing less?

  3. Chris Heilmann Says:
    August 22nd, 2006 at 7:50 am

    @Mathijs: It is not that bad really. First, it is a good step you got my book, because I wrote it for beginners and it is good to know what is going on and it has some tips on safety, too. Secondly, with this trick you can only read out a URL where you have been, not what you have done there. You have to guess all the URLs the person might have been and then you can test against them. A banking site makes sure that URLs are unique to the current transaction, and do not work afterwards any longer. The same applies to cookies. No online banking system should store sensitive data in cookies, or at least not in cookies that persist after the session. Don’t get paranoid, you can keep your JavaScript on.

    What this trick makes easier is to spoof false login forms. If I test with this trick that you have visited barclays.com I could show you a fake popup with the barclays logo on it asking you for your login details. MSIE in the next version, along with Opera and Firefox will always show the URL of the document in a popup window, which still makes it easy to spot a fake form. In general:

    * This trick allows you to read single URLs. There is not much chance to use it to track back your online banking wanderings

    * Don’t trust any popup or form outside your banking site’s domain (also be aware that http://www.barclays.com@123.456.888.323 is not barclays but the server after the @!)

    * If you are really concerned, clear your cache from cookies and history entries of sensitive sites when you leave them

  4. matthijs Says:
    August 22nd, 2006 at 8:15 am

    Ok thanks for clearing that up Chris. Still, even if a website can trace were you have been, that’s quite a thing. Say you’ve just visited this g@mblingsite. You are not allowed to, because you’re in great debt and are in a program to get rid of your addictions. After that you visit your wife’s weblog. With this history trick she can see what you’ve been doing. You will not recieve a warm welcoming at the end of the day!

    This is just a silly example, but the concept is quite scary. I don’t have much to hide myself, but the principle of privacy is important.

    I do have some convidence in my online banking systems. But what about all the forums I visit and for which my browser sends cookies to keep me logged in? If these cookies are stolen together with my history, they can login as me can’t they?

    I’m not afraid of people spoofing me, as I’ve trained myself to always look at the url’s before clicking a link. And I’ll never visit an important website from within an email or a link from another site. I do plan on keeping js off by default and only allowing it to be turned on on sites I trust. Hope I can trust you? :)

    Looking forward to your book, it should arrive in a few weeks.

  5. Johnathan Says:
    August 14th, 2007 at 5:58 am

    Thats totally creepy,I normally clear out my browser and cache history. I use CCleaner.. its FREE…

  6. Shweta Says:
    February 16th, 2009 at 2:16 pm

    hi all,

    please let me know can we read client browser history or cache using java or j2ee?
    I wanted to retrive browser history, on basis of that i want to display targeted ads on browser.

    please let me know.

Leave a Reply

Wait till I come! is the blog of Christian Heilmann , a developer evangelist living and working in London, England. Download vcard.

Feed me, Seymour: Entries (RSS) and Comments (RSS).