homepage Welcome to WebmasterWorld Guest from 54.166.173.147
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
I can see where you've been
Mix of JS and CSS can reveal where your visitor has been
Tastatura




msg:3094738
 8:25 am on Sep 24, 2006 (gmt 0)

Hi all,
I stumbled across this and am not sure if a lot of people are aware of this JS vulnerability / exploit although it has been reported as far back as 2002. Using a bit of CSS knowledge and some clever JS, webmasters can “see” which other sites their current visitors have been at. Although you can’t see every site the visitor has been at, it is possible to test against predetermined set of sites ( for example one could check if the visitor was at competitor site, etc.)

Info about this is available at (among other places):

[seclists.org...]
[crypto.stanford.edu...]
[cs.indiana.edu...]

There are few sites that run this script for educational purposes – just use your favorite SE ti find them

[edited by: Tastatura at 8:28 am (utc) on Sep. 24, 2006]

 

DrDoc




msg:3094742
 8:29 am on Sep 24, 2006 (gmt 0)

That is quite interesting and clever! The "vulnerability" is somewhat limited, although the privacy issue is the more disturbing, especially depending on sites employing such techniques.

Common browser behavior (which fulfills a purpose like it should) ... and now that can be used in an exploitatious manner. Talk about being stuck between a rock and a hard place.

Great find!

wildbest




msg:3094869
 2:27 pm on Sep 24, 2006 (gmt 0)

Excellent find!

... for example one could check if the visitor was at competitor site, etc.

However, that also means I have to place a link on my site pointing to competitor site... helping competitor rank higher on SERPs!

It would be quite nice if competitors place links on their sites pointing to ours! :)

moltar




msg:3094997
 4:40 pm on Sep 24, 2006 (gmt 0)

However, that also means I have to place a link on my site pointing to competitor site... helping competitor rank higher on SERPs!

You can: (a) cloak it, (b) insert it dynamically with JavaScript.

DrDoc




msg:3095081
 6:40 pm on Sep 24, 2006 (gmt 0)

The examples above utilize JavaScript to insert the links. You can even insert it dynamically that way inside a hidden div.

wildbest




msg:3095126
 7:10 pm on Sep 24, 2006 (gmt 0)

Whatever you do, you can not show the link to visitor's browser and hide it from search engines, because search engines very often visit your site as simple visitors!

skipfactor




msg:3095165
 8:33 pm on Sep 24, 2006 (gmt 0)

Wow, so my paranoid habit of hitting competitors from a clean tab/window was healthy after all.

DrDoc




msg:3095176
 8:44 pm on Sep 24, 2006 (gmt 0)

That depends on your browser settings. I have all my browsers set to clear the cache and history upon exit. But, otherwise a clean browser session may not matter, if the history (and thereby also "visited links" status) hasn't expired.

Hanu




msg:3095523
 4:07 am on Sep 25, 2006 (gmt 0)

You can't see WHICH sites have been visited but WHETHER a particular site was visited. You could of course create a huge page with links to many sites. But still, how useful is that?

DrDoc




msg:3095617
 7:21 am on Sep 25, 2006 (gmt 0)

Yes, it is probably important to make that distinction, to avoid confusion.

Nevertheless -- it arises concerns since that information is still available and can be abused.

moltar




msg:3095939
 2:15 pm on Sep 25, 2006 (gmt 0)

You can't see WHICH sites have been visited but WHETHER a particular site was visited

I'd clarify this even further. Not a SITE, but a URL. For example, if a visitor visited a:

http://www.example.com/green-widget.html

but you are checking against the (create the link to):

http://www.example.com

Then you will not get a positive answer, because the visitor might have entered the site through a deeper page, and never visited the homepage.

a123456




msg:3096096
 4:05 pm on Sep 25, 2006 (gmt 0)

You don't even need Javascript, if you are willing to put the links directly in your HTML. A background image set on a:visited will do the tracking for you.

DrDoc




msg:3096120
 4:17 pm on Sep 25, 2006 (gmt 0)

Not really, since it would not tell you _which_ URLs have been visited.

Tastatura




msg:3096795
 12:42 am on Sep 26, 2006 (gmt 0)

Granted I could of used different words to present the topic (site vs URL, etc), and probably would if I was to do it again (so point taken). However to me, potential privacy issues (as DrDoc already pointed out) that can arise from this are unsettling – basically data is easily obtainable and could be used for all kinds of purposes. Just to name the few that are already mentioned in the links from the original post:

-phishing attacks : malicious website can figure out which bank you are using ( and try to obtain your credentials using methods which are outside of the scope of this post). One only needs to figure out what is login URL, and check against that. Same/similar goes for webmail services, etc. and most other sites that require authentication.

-Profiling (very simplified case intended as an example only): health insurance company can try to figure out if you visited some sites regarding particular illness, etc.
Those are some of few basic examples – a little bit of imagination can provide more interesting (or disturbing) case scenarios.

I am not trying to make huge deal out of this but before I stumbled onto it I was unaware of it - perhaps good deal of people here were aware so this is not news to them.

lstrand




msg:3100351
 12:28 pm on Sep 28, 2006 (gmt 0)

WildBest,
If you use rel no follow on the links you should be ok with most search engines and not passing that valuable vote.

Best Regards

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved