Saturday, September 24, 2011

Security Hack

Just an interesting hack that people could use.
step1:
write a web page. On the page, put a bunch of links that you care about. Make them hidden, though.

step2:
Create a style sheet and set up a link visited font and color. Doesn't really matter which one, you just have to know it.
like this:
a:visited { color : red; }
a { color : orange; }

Step3:
In the web page, write some client-side script that loops through each of the hidden links and checks the color.
(you can use this: element.style.color) and compares it to the color of the visited link in step2. If the colors are the same,
that means the link has been visited.

Now, for every person who hits your site, you know whether a lot about their browser history.

If you sell cars, you can tell if the visitor has been looking for cars. Or..whatever interests you. If you're a site that hosts some free service, you can partner with companies who provide your ads to figure out which product(s) or services they visitor may be willing to buy.

It's a kind of slimy way to profile a site visitor. And kind of a slimy way to be profiled.
Next time, I'll maybe post a way to get even more data on the visitor.

Meanwhile, you can see a nice post on it here:
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

Mozilla has some plugins to help with this. And that's a good thing.
--kevin

1 comment: