Feeds

back to article Most browsers silently expose intimate viewing habits

The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. According to results collected from more than 271,000 visits to a site called What the internet knows about …

COMMENTS

This topic is closed for new posts.
Stop

Congratulations, we did not find anything in this category in your browser history.

It's called Firefox Private Browsing*. Start using it sheeple!

* Switch it on permanently by typing about:config into the location bar and setting the browser.privatebrowsing.autostart option to true.

3
2
FAIL

Misinformation

http://support.mozilla.com/en-US/kb/Private+Browsing

Your post is misleading at best if read in context of the article.

A clip from the above link states quite clearly:

Note: Private Browsing prevents information from being recorded on your computer. It does not make you anonymous on the Internet.

Firefox private browsing feature was and is not a means to prevent the sort of 'exploit'

mentioned in the scary article.

0
1
FAIL

More misinformation

@Misinformation. You cannot be more wrong:

--

http://whattheinternetknowsaboutyou.com/docs/solutions.html

Your post is misleading at best if read in context of the article.

A clip from the above link states quite clearly:

You also can accomplish the same goal by using your browser's "private browsing" mode for all your Web browsing.

Firefox private browsing feature is a means to prevent the sort of 'exploit' mentioned in the scary article.

--

The whole point of this attack is to find information that is recorded on your computer, and display it via visited links.

You are Epic FAIL.

0
0
FAIL

Indeed,

it would be most embarrassing to let it be known that you visited Wenlock and Mandeville.

1
0

HTTP response code, non-Javascript exploit

I'm trying to think of a way an HTTP response could be used as an exploit. This is all I can think of:

Rogue site includes some object from page it's testing for, maybe a graphic with width and height set to 1, like a web bug. Perhaps many of them. (It would probably be mandatory to do that; too many users would smell a rat if they regularly saw graphics unrelated to the site they're visiting.) If the browser comes back with 304, Not Modified, then that object is in the cache, disclosing that the user has been there, and probably recently, depending on the lifetime of items in the cache. This would work for any page at the site being tested that includes that object, no only the one the user actually visited, so a visitor to some page deep inside a domain which happens to include a logo that is included in most or all pages there would be detected simply by testing for the site's home page.;

If that's anything like the exploit, perhaps the browser could check for URLs pointing to objects at other domains with attributes in the link that seem designed to hide their presence from the user, and could then toss up a warning dialog. Google or kindred could add that kind of sign to the criteria they use to find dodgy sites for which they link to their "dangerous site" warning.

0
0
Bronze badge

Cached image?

How would a website know the response code for an object requested by a user's browser to a third party site?

This hack just uses the Visited link information to judge if a user has been there.

0
0
Badgers

Only one problem...

It only checks a subcategory if the user already visited the main URL. I was able to pull up the local weather from www.weather.com without visiting the front page, so the algorithm didn't notice that I had been there. Once I clicked over to the front page it noticed that I'd been to some weather.com pages before.

Personally, I never bother going to places like www.google.com. There's nothing useful there. As long as I tend to use the search box in my browser and find pages in the middle of sites using search engines this optimization isn't very helpful. While this might help with some well known sites that many people type into their browser instead of just searching inside of (e.g. Amazon.com, Fandango.com, Weather.com) its still going to be limited in scope for major snooping.

As far as the zip code goes, using an ip address to find the related ISP seems to work just as well and its a lot faster too.

0
1

I had the same result...

I tend to use the search box as well; I've added quite a few Mycroft plugins so I rarely need to go to a main page.

About the only address I actually tend to type in the address bar is.... El Reg

0
0

Phew

I haven't visited any popular web sites. This seems to include The Register (huh?). Lucky for me it didn't know which unpopular (or dubious ) sites I briefly lurked on.

0
0
Silver badge

Re: Congratulations Anonymous Coward Posted Friday 21st May 2010 02:53 GMT

AC,

Do you really believe/imagine, that whenever private/public information is so vital for public/private intelligence services and servers, one's history will not be made available/will be excluded from memory circuits for Provision of both Real and Virtual Currency and Power via Deep Packet Inspection, Digital Rights Management and Analytical MetaData Processing for PreTextual Use in Content Management Systems delivering the Present and Operating Systems ..... with Sublime Global Operating Device Leadership?

Private Browsing is a Valuable Tool which Allows for the Truth to Shine Bright in the Light of Darkness and Self Deceit ..... with ITs Directing Searchlight Showing the Path of Secretive Ways by Virtual Means.

In AI Geeky Nerd Vernacular, that would be Warranted a "All your Memes belong to Us" Moniker.

1
2
FAIL

pretty hopeless site to be honest

zip code approximation? since I live in the UK that's approximate in the sense of the correct flippin' hemisphere ?

as I run NoScript I had to allow it to run in the first place, & then it could only locate sites that I trust (e.g. Reg) and then only the top page

it couldn't even list my bank (a very big one) and I visit that pretty much every day

this site is a waste of electricity

1
0
Stop

Use Pron Mode

*Ahem* "In private" for IE8, "Secure Browsing" in Firefox, etc

Seems to stop it in its tracks

0
1

I KnowWhere You Have Been

Been telling folk about this for years, and here is a nice example http://glevum.x10.mx/pages/page_history.php

0
0
Silver badge
FAIL

Well that's as useful as a chocolate teapot...

It managed to identify random pages that I'd visited through google searches. And then told me of sites I'd visited "recently" which I hadn't been near for over a year.

0
1
Thumb Up

Firefox protection

you can already avoid this "history" problem by setting the following to "false" (in about:config)

layout.css.visited_links_enabled

0
0

Well yes but...

Well yes, but then you can't see where you've been either, which is one of the more useful things a web browser can do.

Thats the whole point of the 'exploit' - it relies on the fact that a helpful service can equally be a risk and fixing it asks people to tradeoff between security and convenience.

0
1

Wouldn't this work?

It's possible I'm partly speaking in technical ignorance on the issue, but I'd have thought a sensible solution, that doesn't affect website functionality too much, would be to implement a similar system to the "allow 3rd party cookies" settings option in web browsers. I.e. Have an option in the web browser that limits a website to only be able to query your history for it's own domain and sub domains, a "allow 3rd party web history queries" check box - which you'd naturally turn off to help protect your privacy. It wouldn't stop the same site from snooping on your past visits, of course, but it would stop rogue sites from data mining your whole web history.

Would that work? I think it would, wouldn't it?

0
0
Black Helicopters

Oh noes!

They know my postcode?!? The horror, the unspeakable horror!

0
0
FAIL

Slashdotted?

Has the demo site been slashdotted? I can't get it to load.. :(

0
0
Happy

Not slashdotted...

ElRegged

0
0
Anonymous Coward

Opera too

'Private browsing' in Opera 10.50 as well or read the Solutions page on What the Internet Knows About You.

0
0
Thumb Up

SeaMonkey

SeaMonkey 2.1a1 (Gecko rv:1.9.3a5pre) seems to mitigate that issue contrary to current version 2.0.4. See also http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

0
0

Re whattheinternetknowsaboutyou

Excuse me, but I've come late to these comments and have not read all of them. I have tested the site http://whattheinternetknowsaboutyou.com and it doesn't seem to pick anything up, either using Firefox or IE. I have even visited 2 different adult sites and then immediately after the visits loaded the whattheinternet etc etc page and nothing appears. Is it a fraud?

0
0
This topic is closed for new posts.