back to article It's ba-ack. Exploit revives slain browser history bug

A Google researcher has resurrected an attack that allows website operators to steal the browsing history of visitors almost a year after all major browser makers introduced changes to close the gaping privacy hole. Proof-of-concept code recently posted by Google security researcher Michal Zalewski works against the majority of …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    So presumably, no cache means it doesn't work. I never have a cache turned on. It generally doesn't bother me if a page loads in 1 second or 10.

    1. Error Message Silver badge
      Holmes

      Maybe

      I always have Firefox set to not cache anything. But IE won't let you do that, and unfortunately occasionally one finds websites that only work with IE (here in the US, usually government sites.).

      1. Nick Thompson

        You could use the InPrivate browing mode in IE? That either doesn't cache, or it clears it when you close the browser.

    2. Anonymous Coward
      Anonymous Coward

      Goody for you

      I never connect to the internet so it doesn't bother me either, duh

  2. volsano

    Noscript is your friend

    Simple workaround with many spin off benefits: treat your computer as a production machine,

    So no running of arbitrary programs -- especially Javascript ones -- unless you have (at best) got a QA certificate for the specific scripts being run; or (at worse) have a QA certificate vouching for the code from the site that has supplied the code.

    Even today -- where the best we can do is whitelists of sites we trust to supply Javascript code -- using Noscript adds an important layer of security to the machines we use every day.

    But it is time that Javascript is recognised as an attack vector and is subject to mandatory QA checks before it is allowed through firewalls.

    1. Anonymous Coward
      Anonymous Coward

      How is that supposed to work?

      Do you expect some entity is going to manually check every piece of Javascript code on the net for potential security issues? Who do you think is going to pay for that?

      As for NoScript, it seems to lead to a lot of the following behavior: Go to website; notice site doesn't work properly; glance at a couple hundred kb of usually uncommented, commonly cryptic, occasionally obfuscated Javascript code; tell NoScript to load everything or whitelist the site. Which really isn't much of an improvement in security.

      1. BlueGreen

        re: How is that supposed to work?

        Yes, idiot web designers use it indiscriminately. Noscript breaks them. I choose not to use those sites and if i have to then it runs in a VM. I'm prepared to make that tradeoff for security.

        "tell NoScript to load everything or whitelist the site. Which really isn't much of an improvement in security"

        Obviously security isn't a priority to you as you freely discard it. Your choice, your responsibility, your hackage, that's fine but please dont' whinge about it.

    2. BlueGreen

      Agreed. 90% of the time the problem is jscript. Solution is noscript

      But we keep going through this every time, don't we.

      People: turn off scripting. Do it now, get used to it being off. If you don't want to, don't moan here if you get sniffed/hacked. It's your tradeoff.

      (@volsano: noscript or a high-level proxy is the right place to block jscript; a firewall typically works at a much lower level)

      (@them who disable caching: that can significantly increase the load on the servers, hence their cost to run, which isn't fair on the majority of sites who don't abuse your browse)

  3. The Fuzzy Wotnot
    Joke

    I'm surprised Google want to divulge this!

    Wrongly or rightly, it would be worth a lot more to them if they kept this to themselves!

    1. Ru
      Big Brother

      Why would they care?

      Most of the internet seems to run urchintracker. They get all the data they need, and in rather more detail than this sort of snooping trick.

  4. Anonymous Coward
    Anonymous Coward

    Ha

    No surprise that it affects IE but I was a little surprised to find that other browsers were affected because as everyone knows, MS software is full of security holes!

  5. Anonymous Coward
    Anonymous Coward

    Interesting

    Didn't work for me, even with all the noscript-type stuff disabled. The only sites it claimed it found were twitter and facebook, that I don't use.

    I like the way the attack tries to work, though, very neat- I am sure it has traction in some cases.

    1. Sporkinum

      Facebook and Twitter will show up if you don't block their buttons on other sites.

  6. Charles 9

    This one is tricky.

    Because caching to speed page loads is an actual FEATURE of most browsers, dating all the way back to the dialup days when pages loaded slower than molasses, even without lots of images and whatnot. This script seems to exploit this FEATURE to determine if it's been cached previously. And for those who say don't use JavaScript, I suspect this is merely used as a means to the end. I strongly suspect it (with the right coding) could be done completely SERVER-SIDE and therefore beyond MOST means to block or even detect it (because it doesn't have to use an IFRAME--think two obligatory IMG tags--say a header and a footer--and timing the difference between each one's call; that would get all but the Lynx users, and I suspect even cleverer coding could get even them).

  7. Anonymous Coward
    Anonymous Coward

    Delete browser history on exit. Delete temp files on exit.

    Open new instance for each site you wish to visit.

  8. kryptonaut

    Will this work in practice?

    Surely once one website has tried to use this exploit, the cache will end up preloaded with the sites that were tested so the results will not be valid/reliable for subsequent trials?

    1. Kanhef

      Yes

      If you look at the comments in his source code, you'll note that it cancels the requests before they can be completed if the site hasn't been cached. So it doesn't pollute its results if run repeatedly, and doesn't leave traces of having been run (aside from the script itself being cached, of course).

  9. JDX Gold badge

    re:noscript

    Sying turning off JS is a solution is a bit like saying you can make a computer more secure by not letting users run any programs... JS _is_ the internet to a significant extent in these days of AJAX and non-static pages.

  10. ElReg!comments!Pierre

    Not too bothered

    The exploit does not work for me; plus, all versions give roughly the same (erroneous) results (i.e. the versions which are not supposed to work do not work worst than the one which is supposed to work). Also, same results after clearing the cache.

    Although to be honest there might or might not be a caching proxy between me and the wild wild web; if that is the reason, someone here lurvs Justin Bieber and someone else likes Playboy (I really hope they are not the same person).

  11. bobdobbs
    Meh

    failed for me

    any site you have blocked via adblocker or similar will appear as "recently visited" in this test, since blocking is akin to "loading really fast" as far as your local cache is concerned.

  12. Mark Eaton-Park
    Stop

    No fair blaiming IE for working as it should

    This example works by timing how long it takes the browsers to render the display, if the site has been cached then it is going to load quicker. This is a functional benefit to most surfing so yes you can turn of caching, most people have a decent connection now but the next "vilnerability" will be DNS caching shall we turn that off too?

    If you have problems with using noscript then dont but as the previous post points out dont come b1tching to us that you failed to take reasonable measures of protection.

    Flash get my votes for being worst vector

  13. Paul Woodhouse

    hmm...

    Doesn't this mean that you have to tell it what websites you want it to check for?... rather than just ask your computer which websites you've been to... if a NAT'd computer is behind a caching proxy, isn't it likely that you'll get the same results for every computer in that network as well...

    neat though...

This topic is closed for new posts.

Other stories you might like