3. June 2007, 19:44, by Maarten Manders

Hacking Your Browser History

Apparently, this hack has been around for a few months but it wasn’t before yesterday when it went all over the news: Even your browser history isn’t safe anymore. Jeremiah Grossman found a clever way to poke into a user’s browser history to check if he or she has visited a certain URI. All it takes is some Javascript code that adds a link to a URI and then checks if it has the :visited CSS pseudo-class. In fact, it doesn’t need Javascript, these guys already created a CSS version of it, exploiting the background image XSRF attack.

That sounds scary

Haven’t you ever wondered what sites your visitors use to visit? If there are any users on your page that also surf on a competitor’s page? Let me assure you, marketing guys do! It even gets worse: I could try to steal any information passed over GET, for example your online banking session id’s by using a brute force technique.

What to do?

Turning off Javascript is no solution. If you’re using Firefox, you should install the SafeHistory extension. There’s also an issue with the cache in Firefox, so this extension wouldn’t hurt, either. As a web application developer, there’s not much you can do. Try to keep important data out of GET. Also, consider using a digital signature in a cookie for safe transactions. You will, however, lose some friends then. :-)

Filed under: PHP,Programming,Web Development

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

© 2018 tilllate Schweiz AG - Powered by WordPress