Leaky Browsers and Exploits

[pete_1967]

Interesting article about underhand tactics many sites use nowadays (hurrah for "Web 2.0" :P)

Test the security of your browser: http://whattheinternetknowsaboutyou.com/

Web bug reveals browsing history

Porn sites are among those hijacking the history files of visitors to their sites.

Porn sites are among the top users of a browser bug that reveals all the places people go online, finds research.

Carried out by computer science researchers at UC San Diego the study found 485 sites exploiting the bug.

The flaw gives sites access to all the other sites that user has visited. Many use it to target ads or see if users are patronising rivals.

The researchers said their work showed a need for better defences against history tracking.

The bug exploits the way that many browsers handle links people have visited. Many change the colour of the text to reflect that earlier visit.

This can be abused with a specially written chunk of code sitting on a website that interrogates a visitors browser to see what it does to a given list of websites. Any displayed in a different colour are judged to be those a user has already seen.

A survey of 50,000 of the web's most visited websites by the team from UC San Diego found 485 sites using this method to get at browser histories, 63 were copying the data it reveals and 46 were found to be "hijacking" a user's history.

The most popular site that uses the technique is adult site YouPorn. Many other porn sites use it too as well as sports, news, movies and finance websites.

The researchers also looked at other popular techniques that sites use to map and monitor what visitors do. Some, such as YouTube, run scripts that track the trail a user's mouse pointer takes on and across pages.

"Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows," wrote the researchers.

The researchers pointed out that some modern browsers, such as Chrome and Safari, are not vulnerable to history hijacking and that the most recent version of Mozilla has closed the loophole. Users of Internet Explorer can defeat the bug by turning on "private browsing".

Users can also check how much information they are leaking by visiting a webpage set up by security researchers that tries to grab their history.

Despite these safeguards, the researchers said there was a "pressing need to devise flexible, precise and efficient defenses" against the history hijacking technique.

The research team is now planning more in-depth work that it hopes will result in tools that will more comprehensively defend against attempts to exploit the bug.

http://www.bbc.co.uk/news/technology-11899092

Also remember that "private browsing" may not be so private after all: http://www.bbc.co.uk/news/technology-10891355

[marriedto51]

I read that article, too. Interesting stuff.

But when I try to connect to whattheinternetknowsaboutyou.com I just get timeouts... Perhaps what the internet knows about me it doesn't want to tell me.

I need to take a break now and sit on the sofa with my foil hat on.

[Lord Honk]

Yeah, that's a pretty nasty find. Can't even trust porn sites nowadays =/

On a more serious note, while I can understand that MS isn't known for it's fast bug fixing methods (it's a huge company that get's innumerable reports every day, one can argue about their efficiency fixing them), are, statistically, the other, more frequently updated and modified versions, like chrome or firefox, more likely to fix bugs like this "fast"? There's been some articles in recent history about numerous larger exploits and bugs that get patched up, but I'd like to know how the procedure works for less popular problems.

I could go to mozilla.org, browse their development forums or track bugzilla on the matter, but just asking here might be faster, in the hopes that there's someone more educated in that matter.

[bodhi.zazen]

s/browsers/browser

It seems this "exploit" applies to IE

The researchers pointed out that some modern browsers, such as Chrome and Safari, are not vulnerable to history hijacking and that the most recent version of Mozilla has closed the loophole.

If you want to see what information your browser is giving away, use a proxy judge

http://www.proxysecurity.com/proxy-judges.php

[bodhi.zazen]

The page in the link is up today.

I tested my browser.

First I had to allow javascript (I use noscript). Then I had to allow the page to reload (I got a warning in firefox).

The page "promised" to -

This page checks your browser history and determines which of the 5000 most popular Internet websites you've recently visited.

After all that, it identified 4 pages. considering I have over 100 tabs open at the moment, the fact that I currently have 10 cookies, and all the hassle I went thought to even get 4 I would say the exploit is a failure.

Reloading the page did not improve the results and eventually I was left with a black screen.

[pete_1967]

The page in the link is up today.

I tested my browser.

First I had to allow javascript (I use noscript). Then I had to allow the page to reload (I got a warning in firefox).

The page "promised" to -



After all that, it identified 4 pages. considering I have over 100 tabs open at the moment, the fact that I currently have 10 cookies, and all the hassle I went thought to even get 4 I would say the exploit is a failure.

Reloading the page did not improve the results and eventually I was left with a black screen.

Why don't you try again, let noscript block the javascript on it. Just wait, it will eventually stop and display the results as it did before. Once it has and shows those sites that are in the 50 most popular list (that's what it showed to you - sites in top 50 popularity) - if you have only visited 4 sites that are in that list, it can't display more.

When it stops, click the link titled "Full history search" on the left hand side under heading "General", and let it do its magic. Longer your history, longer it takes to scan but be patient.

Of course if you think there's no issue with your browser leaking its history to any website that wants to read it...

[bodhi.zazen]

Why don't you try again, let noscript block the javascript on it. Just wait, it will eventually stop and display the results as it did before.

Oh you are correct. I have to click the "allow" warning firefox gives me three times.

Something I would not do on an untrusted web site.

So yes, If I allow it to do it's magic it will work, sort of. Today it detects only 3 web sites, not four, so one of the four was lost from yesterday.

/me clicks full search history -> another allow --> long time loading ----> .......

How long should I wait ? It is taking a very long time ....

I will post back when the page loads anything (it has been 10 minutes or so).

[pete_1967]

Javascript enabled is lot faster way because it doesn't have to reload page for each search. It also takes time for that system to parse your history, compare it to its url database and generate the result page for you.

However, in the end of the day this isn't about how well whattheinternetknowsaboutyou.com implements the exploit, but about the fact that your browser history is (potentially is, or was if browser has been patched) available for everyone in the first place. For example on my FF 3.5.15 it easily reads the history.

[bodhi.zazen]

After a long delay I got:

No sites found in your history.

And no, I did not "cheat" by clearing my history or anything like that. My history for today currently has 171 items. One of the 4 items in my history today showed up yesterday, but does not today (yesterday I got 3, today I got 4) [Ubuntu forums if you must know]. My history file goes back over 6 months.

In trying some of the other links, I tried banks and what not and got:

Congratulations, we did not find anything in this category in your browser history.
Feel free to try our other browser history tests.

Which is not true as I visited my bank frequently (Christmas shopping, transferring funds, etc) most recently yesterday.

On the XXX link I got

Congratulations, we did not find anything in this category in your browser history.
Feel free to try our other browser history tests.

as well.

As I said originally, the only privacy I am using is privoxy + NoScript. I am not using any special privacy settings in firefox nor do I have any privacy extensions. I did not disable my css as suggested in that site. My extensions are simply NoScript, Optimize Google, ShowIP, Greasemonkey, and Firebug (on adblockpluc, do not need it with privoxy).

I am using some custom privacy and speed settings in privoxy (the default settings are slow and not as private as I like). With all the interest in Privacy I shall try to blog about such things in the next few days.

http://whattheinternetknowsaboutyou....solutions.html

To be honest, I am going to clear out my browser history (I had overlooked this little thing).

I am very comfortable with my privacy settings (and some recent fine tuning). I use a Proxy judge to review what I am sending and I am happy with what they show. I could limit it more, but doing so tends to break web sites. As it is now, with my current settings, my children can browse sites such as webkinz and other online children's sites, I can browse to my bank and various shopping sites, and I am reasonably confident my activities are about as private as can be (no such thing as complete anonymity you know).

UPDATE: When I allowed javascript (disabled Noscript) and reloaded the pages, they got 15 pages. They did not identify my bank (or any other "sensitive" sites).

Personally I think 15 pages after allowing all that access is very insensitive and is "good enough" for me, I probably have thousands of pages in my history, about 2500 pages per month X 6 + months, although some are obviously dups. 15 out of 1,000 sites = 1.5% of my web activity was tracked.

---------- Post added at 06:02 PM ---------- Previous post was at 03:45 PM ----------


Second update :

After clearing my history in firefox now all I see is:

Congratulations, we did not find anything in this category in your browser history.
Feel free to try our other browser history tests.

I currently have a page open to my bank, I have allowed javascript.

It seems all we need to do is a simple setting in firefox to disable history

Options -> Pricavy tab -> Clear the history, do not keep any history.



Clear out all those options , clear your history when ff closes.

Honestly, if you are concerned about privacy you should be using these options already.

[pete_1967]

Honestly, if you are concerned about privacy you should be using these options already.

*Sigh* The browser history is not supposed to be available to anyone else than the browser's user. That it is, is the problem, not whether or not the user knows how to clear it.

[bodhi.zazen]

*Sigh* The browser history is not supposed to be available to anyone else than the browser's user. That it is, is the problem, not whether or not the user knows how to clear it.

I understand, I just disagree with the severity of the "leak". The exploit certainly did not work as advertised and the world has not ended.

Specifically, despite claims to the contrary (se http://whattheinternetknowsaboutyou....solutions.html ), the exploit is in fact at least partially blocked by NoScript. In fact in my test, Noscript was completely effective (see my previous post, I had to allow JavaScript and reload the page).

Try it, install NoScript and visit:

http://whattheinternetknowsaboutyou.com/all

The entire page just hangs, even after I click the firefox warning.

I also received several warning messages from firefox I had to specifically allow in the first place.

It hangs at "Please wait, collecting data. Results will appear soon.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . "

Until I allow Javascript.

I would summarize the entire encounter as the exploit asking "May I see your history please?" When I answered "OK, go for it", OMG they saw my history.

It certainly is not any type of "drive by" exploit and they got nowhere unless I allowed them access to the information.

At the end of the day this amounts to a social exploit, or Phishing. The technique is as old as the hills.

The solution is quite trivial, anyone truly interested in privacy is almost certainly not affected to start with.

I should probably not tell you about all the other stuff people worry about such as cookies and what not.

[pete_1967]

I understand, I just disagree with the severity of the "leak". The exploit certainly did not work as advertised and the world has not ended.

Surprise surprise, I have noscript installed and even it blocking the scripting on that site, it manages to read my browser history. Now, how many users have noscript that doesn't even prevent the exploit, installed? Minority of web users.

Above aside, you still don't get the point: Browsers allowing information that is supposed to be private, such as history to be read by websites is serious, even if it was just one item in your history that they can read.

[bodhi.zazen]

Surprise surprise, I have noscript installed and even it blocking the scripting on that site, it manages to read my browser history. Now, how many users have noscript that doesn't even prevent the exploit, installed? Minority of web users.

Above aside, you still don't get the point: Browsers allowing information that is supposed to be private, such as history to be read by websites is serious, even if it was just one item in your history that they can read.

I suppose we will have to agree to disagree regarding the severity of the problem. You are right it should not happen, but neither should any of these either:

http://www.us-cert.gov/current/

I would turn the conversation more to "support" and mention to you that there are many methods you can use to improve your security and privacy.

When I use "the internet" I assume my activity is public knowledge unless I actively privatize it. Sad but true. IMO all too often people assume the opposite, they assume their activity is private when it is not.

If you are so inclined, try Privoxy. Firefox + Privoxy + NoScript work well for me (do not need AdBlock Plus) and is faster then TOR.

You might also like the TOR bundle, it is cross platform and runs from a flash drive (on both Windows and Linux).

http://www.torproject.org/projects/torbrowser.html.en

If you would like help increasing your privacy I would be happy to offer any advice I can.

Srware Iron works well as an alternate to Firefox, but the Chrome browsers have a few irritants so I prefer firefox at the moment (although in another few months I may switch).

http://www.srware.net/en/software_sr...me_vs_iron.php

You might also be interested in a few firefox extensions (Better privacy for one).

As far as the number of users using / not using NoScript - In my experience, most people who do not use NoScript do not care. Most people who have an interest in security or privacy both lock down their broswers and/or find NoScript fast.

[leigh123linux]

Surprise surprise, I have noscript installed and even it blocking the scripting on that site, it manages to read my browser history. Now, how many users have noscript that doesn't even prevent the exploit, installed? Minority of web users.

Above aside, you still don't get the point: Browsers allowing information that is supposed to be private, such as history to be read by websites is serious, even if it was just one item in your history that they can read.

It's easy enough to block without any addons like noscript.

[JamesNZ]

Porn sites are among those hijacking the history files of visitors to their sites.

Porn sites are among the top users of a browser bug that reveals all the places people go online, finds research.

No surprise there.
I got the "Congratulations, we did not find anything in this category in your browser history." thing too, notwithstanding that all my browsing history is automatically deleted at browser exit