Stealing Browser History with Javascript and CSS

A lesser known function in Javascript is currentStyle, which returns the CSS properties for an element in the document. Most web browser keep a record of visited URLs, so by setting different styles for a and a:visited, we can programatically determine if a link displayed in the document has previously been visited. Or, to put things more simply: your browser shows visited links in a different colour. Javascript can be used to spot that change in colour, hence tell if you've visited a particular site or not.

So all we need to do is generate a document containing thousands of different URLs, and inspect the style attributes for each. My method uses a list of URLs loaded into a hidden iframe. The list is then iterated though, and currentStyle called for each link. A less that honest webmaster could then pass the list of visited URLs back to the server (eg via AJAX) to snoop on a user's browsing history.

UPDATE: as of 2013, many browsers seem to have solved this issue. I've taken the tool offline, as Google was treating the huge number of links as spam









































Linux Services

Books

Code

vBulletin

Data

Fun Stuff

Blog

Pete's Shed




linux support email pete@linuxbox.co.uk
(+44) 07890 592198