I can see where you've been

Forum Moderators: open

Message Too Old, No Replies

I can see where you've been

Mix of JS and CSS can reveal where your visitor has been

Tastatura

8:25 am on Sep 24, 2006 (gmt 0)

Hi all,
I stumbled across this and am not sure if a lot of people are aware of this JS vulnerability / exploit although it has been reported as far back as 2002. Using a bit of CSS knowledge and some clever JS, webmasters can “see” which other sites their current visitors have been at. Although you can’t see every site the visitor has been at, it is possible to test against predetermined set of sites ( for example one could check if the visitor was at competitor site, etc.)

Info about this is available at (among other places):

[seclists.org...]
[crypto.stanford.edu...]
[cs.indiana.edu...]

There are few sites that run this script for educational purposes – just use your favorite SE ti find them

[edited by: Tastatura at 8:28 am (utc) on Sep. 24, 2006]

DrDoc

8:29 am on Sep 24, 2006 (gmt 0)

That is quite interesting and clever! The "vulnerability" is somewhat limited, although the privacy issue is the more disturbing, especially depending on sites employing such techniques.

Common browser behavior (which fulfills a purpose like it should) ... and now that can be used in an exploitatious manner. Talk about being stuck between a rock and a hard place.

Great find!

wildbest

2:27 pm on Sep 24, 2006 (gmt 0)

Excellent find!

... for example one could check if the visitor was at competitor site, etc.

However, that also means I have to place a link on my site pointing to competitor site... helping competitor rank higher on SERPs!

It would be quite nice if competitors place links on their sites pointing to ours! :)

moltar

4:40 pm on Sep 24, 2006 (gmt 0)

However, that also means I have to place a link on my site pointing to competitor site... helping competitor rank higher on SERPs!

You can: (a) cloak it, (b) insert it dynamically with JavaScript.

DrDoc

6:40 pm on Sep 24, 2006 (gmt 0)

The examples above utilize JavaScript to insert the links. You can even insert it dynamically that way inside a hidden div.

wildbest

7:10 pm on Sep 24, 2006 (gmt 0)

Whatever you do, you can not show the link to visitor's browser and hide it from search engines, because search engines very often visit your site as simple visitors!

skipfactor

8:33 pm on Sep 24, 2006 (gmt 0)

Wow, so my paranoid habit of hitting competitors from a clean tab/window was healthy after all.

DrDoc

8:44 pm on Sep 24, 2006 (gmt 0)

That depends on your browser settings. I have all my browsers set to clear the cache and history upon exit. But, otherwise a clean browser session may not matter, if the history (and thereby also "visited links" status) hasn't expired.

Hanu

4:07 am on Sep 25, 2006 (gmt 0)

You can't see WHICH sites have been visited but WHETHER a particular site was visited. You could of course create a huge page with links to many sites. But still, how useful is that?

DrDoc

7:21 am on Sep 25, 2006 (gmt 0)

Yes, it is probably important to make that distinction, to avoid confusion.

Nevertheless -- it arises concerns since that information is still available and can be abused.

moltar

2:15 pm on Sep 25, 2006 (gmt 0)

You can't see WHICH sites have been visited but WHETHER a particular site was visited

I'd clarify this even further. Not a SITE, but a URL. For example, if a visitor visited a:

http://www.example.com/green-widget.html

but you are checking against the (create the link to):

http://www.example.com

Then you will not get a positive answer, because the visitor might have entered the site through a deeper page, and never visited the homepage.

a123456

4:05 pm on Sep 25, 2006 (gmt 0)

You don't even need Javascript, if you are willing to put the links directly in your HTML. A background image set on a:visited will do the tracking for you.

DrDoc

4:17 pm on Sep 25, 2006 (gmt 0)

Not really, since it would not tell you _which_ URLs have been visited.

Tastatura

12:42 am on Sep 26, 2006 (gmt 0)

Granted I could of used different words to present the topic (site vs URL, etc), and probably would if I was to do it again (so point taken). However to me, potential privacy issues (as DrDoc already pointed out) that can arise from this are unsettling – basically data is easily obtainable and could be used for all kinds of purposes. Just to name the few that are already mentioned in the links from the original post:

-phishing attacks : malicious website can figure out which bank you are using ( and try to obtain your credentials using methods which are outside of the scope of this post). One only needs to figure out what is login URL, and check against that. Same/similar goes for webmail services, etc. and most other sites that require authentication.

-Profiling (very simplified case intended as an example only): health insurance company can try to figure out if you visited some sites regarding particular illness, etc.
Those are some of few basic examples – a little bit of imagination can provide more interesting (or disturbing) case scenarios.

I am not trying to make huge deal out of this but before I stumbled onto it I was unaware of it - perhaps good deal of people here were aware so this is not news to them.

lstrand

12:28 pm on Sep 28, 2006 (gmt 0)

WildBest,
If you use rel no follow on the links you should be ok with most search engines and not passing that valuable vote.

Best Regards