Comments on: Sneakily reading out your browser history

By: Johnathan

Johnathan — Tue, 14 Aug 2007 04:58:58 +0000

Thats totally creepy,I normally clear out my browser and cache history. I use CCleaner.. its FREE…

By: matthijs

matthijs — Tue, 22 Aug 2006 07:15:16 +0000

Ok thanks for clearing that up Chris. Still, even if a website can trace were you have been, that’s quite a thing. Say you’ve just visited this g@mblingsite. You are not allowed to, because you’re in great debt and are in a program to get rid of your addictions. After that you visit your wife’s weblog. With this history trick she can see what you’ve been doing. You will not recieve a warm welcoming at the end of the day!

This is just a silly example, but the concept is quite scary. I don’t have much to hide myself, but the principle of privacy is important.

I do have some convidence in my online banking systems. But what about all the forums I visit and for which my browser sends cookies to keep me logged in? If these cookies are stolen together with my history, they can login as me can’t they?

I’m not afraid of people spoofing me, as I’ve trained myself to always look at the url’s before clicking a link. And I’ll never visit an important website from within an email or a link from another site. I do plan on keeping js off by default and only allowing it to be turned on on sites I trust. Hope I can trust you? :)

Looking forward to your book, it should arrive in a few weeks.

By: Chris Heilmann

Chris Heilmann — Tue, 22 Aug 2006 06:50:22 +0000

@Mathijs: It is not that bad really. First, it is a good step you got my book, because I wrote it for beginners and it is good to know what is going on and it has some tips on safety, too. Secondly, with this trick you can only read out a URL where you have been, not what you have done there. You have to guess all the URLs the person might have been and then you can test against them. A banking site makes sure that URLs are unique to the current transaction, and do not work afterwards any longer. The same applies to cookies. No online banking system should store sensitive data in cookies, or at least not in cookies that persist after the session. Don’t get paranoid, you can keep your JavaScript on.

What this trick makes easier is to spoof false login forms. If I test with this trick that you have visited barclays.com I could show you a fake popup with the barclays logo on it asking you for your login details. MSIE in the next version, along with Opera and Firefox will always show the URL of the document in a popup window, which still makes it easy to spot a fake form. In general:

* This trick allows you to read single URLs. There is not much chance to use it to track back your online banking wanderings

* Don’t trust any popup or form outside your banking site’s domain (also be aware that http://www.barclays.com@123.456.888.323 is not barclays but the server after the @!)

* If you are really concerned, clear your cache from cookies and history entries of sensitive sites when you leave them

By: matthijs

matthijs — Tue, 22 Aug 2006 05:30:30 +0000

That’s frightening. So is this something browser makers are aware of? Is it on the buglist? If someone can steal a) my cookies and b) my history, I don’t want to know what can happen if I just visited a webshop to buy some stuff, my bank account to do some financial stuff and my emailaccounts!

Quite ironic that I ordered your book to learn more about javascript, while at the same time I have started to browse with javascript disabled (with the ff plugin).

So how can this happen? Are there no limits to what js can do? I mean, cookies, history,.. can everybody read my c: disk as well? And why? Why should js have access to my browser history or whatever else? Isn’t javascript supposed to do something with the html-document I just downloaded, nothing more, nothing less?

By: mediaFetish

mediaFetish — Mon, 21 Aug 2006 22:29:45 +0000

Wow. Brilliant approach - never would have thought of that. Very nicely done. That is concerning.