Highlights from Interbike 2014

New research finds browser history vulnerable to JavaScript snooping

By

December 5, 2010

Researchers from Jacobs School of Engineering at the University of California, San Diego h...

Researchers from Jacobs School of Engineering at the University of California, San Diego have just released the findings of the first empirical analysis of history sniffing online

Despite many of us willingly letting the online world have regular glimpses into our so-called private lives through social media portals, most would cry foul if such information was collected without our consent or knowledge. Researchers have just completed a study of scripting code contained within the documents used to display web pages in browsers and found evidence of something called history sniffing. This is where website owners gain access to browser history to track your progress around the web.

There's been quite a lot of discussion of late about the privacy issues surrounding history sniffing but the study by researchers from Jacobs School of Engineering at the University of California, San Diego is believed to be the first empirical analysis of history sniffing online.

"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes," said University of California, San Diego computer science professor Hovav Shacham.

Colorful history

You may have noticed when hopping from site to site around the web that some links are shown in blue and others in purple. The former color is often used to indicate site yet to be visited and the latter, those which you've already been to. Some websites are embedded with special JavaScript code that has a sneaky peek at the browser history and looks for evidence of that color change to record where you've been recently.

This information can then be used by website owners to check if you've been comparing their page or products with any competitors and develop an appropriate marketing strategy. For instance, say you're shopping for a new laptop and are looking to compare prices. If you land on a web page that's using the JavaScript sniffing code, the owner of that page would be able to learn which competitors you've been checking out - without your knowledge – and perhaps adjust pricing to suit.

Nothing wrong with that, you might say, helps to push prices down and encourages competition to the benefit of consumers. Well, yes – it could all be quite innocent but what if the code was used by some unsavory character to build user profiles for phishing scams? If someone were to learn which online banking service you used for example, then a fake page could be set up and an authentic-looking email sent to your webmail Inbox. You then click on the link and there goes your login details.

University of California, San Diego's computer science professor Sorin Lerner said: "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."

Identifying the sniffers

The dynamic flow engine for JavaScript was developed by Ph D student Dongseok Jang and used by the researchers to crawl through the top-ranked websites, according to Alexa global website rankings. The tool analyzed the code running on a web page and identified and tagged all instances where the browser history was being checked. They found that 485 of the 50,000 sites checked used code to inspect the style properties that can be used to infer the browser's history.

Although most of the tagged information never got sent over the network back to company servers, the researchers "confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100." What was done with the data once it got back to the website owners is not known.

While not posing as significant a risk to privacy as, say, malware or session hijacking, Stracham said that "history sniffing is unusual in effectively allowing any site you visit to learn about your browsing habits on any other site, regardless if the two sites have any business relationship."

He thinks that "people who have updated or switched browsers should now worry about things other than history sniffing, like keeping their Flash plug-in up to date so they don't get exploited. But that doesn't mean that the companies that have engaged in history sniffing for the currently 60 percent of the user population that is vulnerable to it should get a free pass."

Keeping up to date

The researchers point out that the latest versions of some browsers – such as Firefox, Chrome and Safari – now block history sniffing, but others (most notably Internet Explorer) do not. They recommend keeping up to date with the latest versions of web browsers to make sure that you benefit from any newly implemented security measures.

The paper entitled An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications was presented at the 2010 ACM Conference on Computer and Communications Security recently.

About the Author
Paul Ridden While Paul is loath to reveal his age, he will admit to cutting his IT teeth on a TRS-80 (although he won't say which version). An obsessive fascination with computer technology blossomed from hobby into career before the desire for sunnier climes saw him wave a fond farewell to his native Blighty in favor of Bordeaux, France. He's now a dedicated newshound pursuing the latest bleeding edge tech for Gizmag.   All articles by Paul Ridden
3 Comments

This is very old news. Most modern browsers aren't vulnerable to this form of information disclosure.

Facebook User
5th December, 2010 @ 08:17 pm PST

"History Sniffing" only works when they are looking for an "exact" url.

So if you went to abc.com/news, the javascript would not know it if it looked for abc.com.

Seems relatively benign, the code has been out there for some time, not newsworthy.

I don't see it as being an issue. Anyone disagree?

abe
6th December, 2010 @ 10:17 am PST

Just one more reason not to use IE !!!!

Will, the tink
12th December, 2010 @ 02:06 am PST
Post a Comment

Login with your gizmag account:

Or Login with Facebook:


Related Articles
Looking for something? Search our 28,492 articles