By Paul Ridden
December 5, 2010
Despite many of us willingly letting the online world have regular glimpses into our so-called private lives through social media portals, most would cry foul if such information was collected without our consent or knowledge. Researchers have just completed a study of scripting code contained within the documents used to display web pages in browsers and found evidence of something called history sniffing. This is where website owners gain access to browser history to track your progress around the web.
There's been quite a lot of discussion of late about the privacy issues surrounding history sniffing but the study by researchers from Jacobs School of Engineering at the University of California, San Diego is believed to be the first empirical analysis of history sniffing online.
"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes," said University of California, San Diego computer science professor Hovav Shacham.
Nothing wrong with that, you might say, helps to push prices down and encourages competition to the benefit of consumers. Well, yes – it could all be quite innocent but what if the code was used by some unsavory character to build user profiles for phishing scams? If someone were to learn which online banking service you used for example, then a fake page could be set up and an authentic-looking email sent to your webmail Inbox. You then click on the link and there goes your login details.
University of California, San Diego's computer science professor Sorin Lerner said: "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."
Identifying the sniffers
Although most of the tagged information never got sent over the network back to company servers, the researchers "confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100." What was done with the data once it got back to the website owners is not known.
While not posing as significant a risk to privacy as, say, malware or session hijacking, Stracham said that "history sniffing is unusual in effectively allowing any site you visit to learn about your browsing habits on any other site, regardless if the two sites have any business relationship."
He thinks that "people who have updated or switched browsers should now worry about things other than history sniffing, like keeping their Flash plug-in up to date so they don't get exploited. But that doesn't mean that the companies that have engaged in history sniffing for the currently 60 percent of the user population that is vulnerable to it should get a free pass."
Keeping up to date
The researchers point out that the latest versions of some browsers – such as Firefox, Chrome and Safari – now block history sniffing, but others (most notably Internet Explorer) do not. They recommend keeping up to date with the latest versions of web browsers to make sure that you benefit from any newly implemented security measures.