back to article Most browsers silently expose intimate viewing habits

The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. According to results collected from more than 271,000 visits to a site called What the internet knows about …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Stop

    Congratulations, we did not find anything in this category in your browser history.

    It's called Firefox Private Browsing*. Start using it sheeple!

    * Switch it on permanently by typing about:config into the location bar and setting the browser.privatebrowsing.autostart option to true.

  2. VeganVegan
    FAIL

    Indeed,

    it would be most embarrassing to let it be known that you visited Wenlock and Mandeville.

  3. Ray Simard

    HTTP response code, non-Javascript exploit

    I'm trying to think of a way an HTTP response could be used as an exploit. This is all I can think of:

    Rogue site includes some object from page it's testing for, maybe a graphic with width and height set to 1, like a web bug. Perhaps many of them. (It would probably be mandatory to do that; too many users would smell a rat if they regularly saw graphics unrelated to the site they're visiting.) If the browser comes back with 304, Not Modified, then that object is in the cache, disclosing that the user has been there, and probably recently, depending on the lifetime of items in the cache. This would work for any page at the site being tested that includes that object, no only the one the user actually visited, so a visitor to some page deep inside a domain which happens to include a logo that is included in most or all pages there would be detected simply by testing for the site's home page.;

    If that's anything like the exploit, perhaps the browser could check for URLs pointing to objects at other domains with attributes in the link that seem designed to hide their presence from the user, and could then toss up a warning dialog. Google or kindred could add that kind of sign to the criteria they use to find dodgy sites for which they link to their "dangerous site" warning.

    1. Daf L

      Cached image?

      How would a website know the response code for an object requested by a user's browser to a third party site?

      This hack just uses the Visited link information to judge if a user has been there.

    2. SoltanGris
      FAIL

      Misinformation

      http://support.mozilla.com/en-US/kb/Private+Browsing

      Your post is misleading at best if read in context of the article.

      A clip from the above link states quite clearly:

      Note: Private Browsing prevents information from being recorded on your computer. It does not make you anonymous on the Internet.

      Firefox private browsing feature was and is not a means to prevent the sort of 'exploit'

      mentioned in the scary article.

      1. Anonymous Coward
        FAIL

        More misinformation

        @Misinformation. You cannot be more wrong:

        --

        http://whattheinternetknowsaboutyou.com/docs/solutions.html

        Your post is misleading at best if read in context of the article.

        A clip from the above link states quite clearly:

        You also can accomplish the same goal by using your browser's "private browsing" mode for all your Web browsing.

        Firefox private browsing feature is a means to prevent the sort of 'exploit' mentioned in the scary article.

        --

        The whole point of this attack is to find information that is recorded on your computer, and display it via visited links.

        You are Epic FAIL.

  4. Anonymous Coward
    Badgers

    Only one problem...

    It only checks a subcategory if the user already visited the main URL. I was able to pull up the local weather from www.weather.com without visiting the front page, so the algorithm didn't notice that I had been there. Once I clicked over to the front page it noticed that I'd been to some weather.com pages before.

    Personally, I never bother going to places like www.google.com. There's nothing useful there. As long as I tend to use the search box in my browser and find pages in the middle of sites using search engines this optimization isn't very helpful. While this might help with some well known sites that many people type into their browser instead of just searching inside of (e.g. Amazon.com, Fandango.com, Weather.com) its still going to be limited in scope for major snooping.

    As far as the zip code goes, using an ip address to find the related ISP seems to work just as well and its a lot faster too.

    1. Phil 54

      I had the same result...

      I tend to use the search box as well; I've added quite a few Mycroft plugins so I rarely need to go to a main page.

      About the only address I actually tend to type in the address bar is.... El Reg

  5. Pigeon

    Phew

    I haven't visited any popular web sites. This seems to include The Register (huh?). Lucky for me it didn't know which unpopular (or dubious ) sites I briefly lurked on.

  6. amanfromMars 1 Silver badge

    Re: Congratulations Anonymous Coward Posted Friday 21st May 2010 02:53 GMT

    AC,

    Do you really believe/imagine, that whenever private/public information is so vital for public/private intelligence services and servers, one's history will not be made available/will be excluded from memory circuits for Provision of both Real and Virtual Currency and Power via Deep Packet Inspection, Digital Rights Management and Analytical MetaData Processing for PreTextual Use in Content Management Systems delivering the Present and Operating Systems ..... with Sublime Global Operating Device Leadership?

    Private Browsing is a Valuable Tool which Allows for the Truth to Shine Bright in the Light of Darkness and Self Deceit ..... with ITs Directing Searchlight Showing the Path of Secretive Ways by Virtual Means.

    In AI Geeky Nerd Vernacular, that would be Warranted a "All your Memes belong to Us" Moniker.

  7. Maverick
    FAIL

    pretty hopeless site to be honest

    zip code approximation? since I live in the UK that's approximate in the sense of the correct flippin' hemisphere ?

    as I run NoScript I had to allow it to run in the first place, & then it could only locate sites that I trust (e.g. Reg) and then only the top page

    it couldn't even list my bank (a very big one) and I visit that pretty much every day

    this site is a waste of electricity

  8. SirTainleyBarking
    Stop

    Use Pron Mode

    *Ahem* "In private" for IE8, "Secure Browsing" in Firefox, etc

    Seems to stop it in its tracks

  9. jon 72

    I KnowWhere You Have Been

    Been telling folk about this for years, and here is a nice example http://glevum.x10.mx/pages/page_history.php

  10. Andrew Moore
    FAIL

    Well that's as useful as a chocolate teapot...

    It managed to identify random pages that I'd visited through google searches. And then told me of sites I'd visited "recently" which I hadn't been near for over a year.

  11. Paolo Marini
    Thumb Up

    Firefox protection

    you can already avoid this "history" problem by setting the following to "false" (in about:config)

    layout.css.visited_links_enabled

    1. Mayhem

      Well yes but...

      Well yes, but then you can't see where you've been either, which is one of the more useful things a web browser can do.

      Thats the whole point of the 'exploit' - it relies on the fact that a helpful service can equally be a risk and fixing it asks people to tradeoff between security and convenience.

  12. Carrierbag Head

    Wouldn't this work?

    It's possible I'm partly speaking in technical ignorance on the issue, but I'd have thought a sensible solution, that doesn't affect website functionality too much, would be to implement a similar system to the "allow 3rd party cookies" settings option in web browsers. I.e. Have an option in the web browser that limits a website to only be able to query your history for it's own domain and sub domains, a "allow 3rd party web history queries" check box - which you'd naturally turn off to help protect your privacy. It wouldn't stop the same site from snooping on your past visits, of course, but it would stop rogue sites from data mining your whole web history.

    Would that work? I think it would, wouldn't it?

  13. Sam Tana
    Black Helicopters

    Oh noes!

    They know my postcode?!? The horror, the unspeakable horror!

  14. Dale Richards
    FAIL

    Slashdotted?

    Has the demo site been slashdotted? I can't get it to load.. :(

    1. The Flying Dutchman
      Happy

      Not slashdotted...

      ElRegged

  15. Anonymous Coward
    Anonymous Coward

    Opera too

    'Private browsing' in Opera 10.50 as well or read the Solutions page on What the Internet Knows About You.

  16. akalkakos
    Thumb Up

    SeaMonkey

    SeaMonkey 2.1a1 (Gecko rv:1.9.3a5pre) seems to mitigate that issue contrary to current version 2.0.4. See also http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

  17. palinurus

    Re whattheinternetknowsaboutyou

    Excuse me, but I've come late to these comments and have not read all of them. I have tested the site http://whattheinternetknowsaboutyou.com and it doesn't seem to pick anything up, either using Firefox or IE. I have even visited 2 different adult sites and then immediately after the visits loaded the whattheinternet etc etc page and nothing appears. Is it a fraud?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019