Odd...
I tried it and it got 17 sites which it claims it all it could find but a quick check of my browser history shows over 30 unique sites. It couldn't work out I'd visited the BBC news site, or Groklaw or several other sites.
A new website aims to draw increased attention to one of the web's longest-running privacy defects: The ability for any site owner to effortlessly steal a compete copy of your recent browsing history. As we've pointed out before, the problem is as old as the world wide web itself, and unless people take precautions, it …
>>> Indeed, Start Panic's snoop script was rendered impotent until NoScript was instructed to allow the site to run javascript. We're still dumbfounded Internet Explorer doesn't offer a similar capability.
How about simply disabling javascript for the Internet zone and adding trusted sites on which you want to allow Javascript to the trusted sites list? Granted this is a new fangled feature that IE has only offered for the past decade or so and which unlike Noscript doesnt place an annoying yellow bar at the bottom of your browser, but it's exactly what Noscript does.
Hmmm.
Konqueror(4.2.2)'s javascript is so broken that the applet won't run properly. Security through interoperability, that is called ;-)
Firefox(3.0.10) was only giving up the sites it had been to that session (Google [ my start page] and startpanic itself).
...
A little trippy through my bookmarks menu and some random clicking off to side links from those places didn't seem to change the list of "I know everything" from the first two it displayed. So more like <Manuel>I know NOTHING</Manuel> from what I can see - I visited Google, Wowee, you can work out my whole life from that!
Boy it was an effort:
* startpanic.com
* fav Darths & Droids
* fav Schlock Mercenary, the Online Comi...
* fav Home of Gibson Researc...
* fav LinuxDevices.com -- All About Linu...
* fav Compare prices - Australia - Pric...
* fav The Register: Sci/Tech News for th...
* fav AnandTech: your source for hardwar...
* fav Science news and science jobs from...
* fav Virtual worlds, avatars, 3D chat, ...
* fav Tom's Hardware: Hardware News, Tes...
That is from visiting over 50 sites: it is VERY hit-and-miss! I am very much wondering just what the criteria is for a site to be stored in such a way that it can be read out of the history cache while others are not?????
it doesn't grab my whole browsing history, what it misses is just as interesting as what it includes, but it does grab sites I opened in distinct separate tabs, I can't quite see the logic behind what it displays and what it misses?
Still, I am quite upset this info is available for them that knows to be able to see,
(for picky buggers I am running the latest V of Opera on Linux)
Start Panic figured out ten of the eleven sites I'd visited since midnight when I have IE8 set to erase the history every 24 hours. I don't know why it didn't notice Scroogle though. Then I tried a few with the InPrivate setting and it didn't see them either. Yes it's all very bad, but IE isn't quite as hopeless as you suggest.
A no return of any information revealed by startpanic.
This result gives me that little bit of added confidence that my constant use of Noscritp and sole use of Firefox is the right way to go until browsers have a built in facility to prevent sites from collecting the extentsive browsing data about me without my explicit permission.
In addition to using Noscript, I also ensure that the browser does not have the permission to collect 3rd party cookies, and that all data is cleared when I clear the browser, in addition to having google as a start page for all sites I head over too.
In adding to being responsible, I even went to the extent of removing google anylytics & statcounter from a couple of websites I co-own, albeit, the inbuilt server stats and logs could still be activated and accessed but we don't feel it necessary or appropriate to sit and seive through data.
I have decided not to sign the petition though, furthermore it would also seem inappropriate that the startpanic site allows you to be emailed of what other people are browsing, well that's my thoughts on the matter.
It works through CSS and JS, checking which links would show as having been visited rather than actually reading your history.
A list of the sites checked is at http://startpanic.com/db/db_en.txt and a readable code example of the technique is at http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
I have History disabled in Firefox, and have done the same in every browser I've ever used. It's not a feature I've ever needed or wanted, personally. The security and privacy issues are too significant for a feature I'm betting many people rarely, if ever, use.
I use IE8, and make no particular attempt to hide or clean my browsing history - granted, it contains a few references to Redtube, but as a 30 year old bloke, I'm not ashamed to admit to looking at the odd bit of porn.
This site identified a less-than-impressive two sites I'd visited - one was theirs (well, duh), and the other was badscience.net.
So where are all the others? I've visited hundreds since I last cleaned the history...
Hmmmmm, I'm not exactly a genius but it didn't pull up anything for me. I got a messge saying Ready now? and then Correct? with nothing else showing?
I have, however, run Firefox with the following configuration:
AdBlocker
0 day history
No saved passwords
No third party cookies
Cookies kept only until I close Firefox
Deleting all personal data when I close Firefox
This behavior mystifies my 20 something co-worker who can't understand why I don't have all the social networking website plugged into my browser with automatic login. Aside from I refuse to Twitter I got tired of explaining that even if you can keep someone else from using your computer that if that nugget is ever hacked you're SOL. As for this website I think the lack of anything in the cache was what caught it. Then again maybe I got it on a bad day.
However I'm sure the let's-download-every-little-bauble crowd will have lots of interesting stuff show on their scans.....
Genius or not, that'll do the trick nicely. I always set browsers up in this way myself and got the same results from Startpanic [1] with three other tabs open on different sites, El Reg being one of them. Not so much a vulnerability, rather the browser developers pandering to the trackers and ad pimps. Those of us savvy enough will plug this hole (and a few others such as pre-fetching) as a matter of course.
[1] Well, it did detect that I was visiting their site. Big, fat, hairy deal. NoScript in global allow mode to give it a sporting chance, natch.
This can actually be run without javascript, meaning that noscript will not protect you. http://ha.ckers.org/weird/CSS-history.cgi then click the link underneath to see that your visited sites are logged. Although that list only checks 6 sites, there's no reason it couldn't be combined with the 10,000 from startpanic.
The only thing in firefox that could protect you from this is the safehistory plugin, as it stops links being highlighted as visited unless you have followed that link from the linking domain before.
"a website that demonstrates just how easy it is for a webmaster to detect every website contained in your browser history."
It cannot detect every website or URL in your browsing history. It loads a long list of domain names, such as http://startpanic.com/db/db_en.txt, and then creates a hidden iframe that contains various links built from those domain names. Then it checks the computed style attributes on those links to see which have been visited.
So, it may detect that you have been to youtube, but it has no way to tell which videos you saw or how many.
This is probably entirely unlinked, but if you attempt to use the startpanic site in Safari - it causes the app to crash....
A new level of protection from Apple perhaps? "We don't like some of the sites you've visited so we're not even going to show them"?
No - most likely another bug. ;-)
@Christian Vest Hansen
Thanks for explaining that, so it can only find websites that I've visited that IT knows about. So its really a semi brute force dictionary attack on my browser looking for matching URLs.
So not really very impressive after all and it would explain why it didn't pick up on some of the sites I'd visited because they are not in their list in that file.
Now if it could tell I'd been to naughtynuns . com without knowing about the site and it didn't take 5 minutes to work that out, I'd be impressed, but as it is I don't think I'll be erasing my browsing history and worrying that third party websites will be able to work out just where I've been.
If you want to restrict javascript in Opera or IE -
Restricting javascript in Opera is easy enough:- Tools->preferences->advanced->content, and untick enable javascript. Then if you wish to allow javascript on the site you are visiting: Rightclick ->Edit site preferences->scripting->enable javascript. Simples!
Restricting it in Internet Explorer is slightly more complicated: you need to adjust the settings for IE's trusted sites down to the same level as the internet zone (medium-low), then either increase the internet zone level, or customise it to disable scripting. Javascript will then only run on sites that you add to the trusted zone.
These "history pilfering" scripts exploit the fact that browsers render visited links in a different colour. They add to the page whatever urls they wish to check so that they can inspect the rendered colour, which reveals if the URL is visited or unvisited.
Disabling javascript breaks too much of the web for me, but it would be nice if the browser developers fixed their browsers so that the unvisited link colour was always returned.
I mean, it's not really a hack or even pilfering, is it? It's just using the DOM for one of the things it was meant for - inspecting the styles of page elements.
Start Panic is reliant on the script knowing the specific URIs it wants to check and second, it can't determine *what* you did on each site it detects. For example, it can detect that you've been to http://www.google.com/ but it can't detect that you've been to http://www.google.com/search?q=something+naughty unless it specifically checks for that precise term. Given how many variations there can be on Google search URIs that give the same results, and that you'd then have to check the history for all those possible URI variations and then do the same for each TLD Google operates under, it'd take forever.
To be even relatively sure that you'd scanned the user's history accurately for even one search term, you'd probably have to probe the history hundreds if not thousands of times. It's hardly worth the effort, is it?
Come back when someone comes up with JS code to automatically extract all visits to http://www.google.com/* from the history. That will be news but of course, it will never happen (well, maybe in IE...)
I used to use the SafeHistory firefox plugin after reading about this issue previously on the register. Unfortunately that plugin hasn't been updated for firefox 3, but hopefully someone else will make a new plugin that does the same.
What I don't understand is if the safehistory plugin can hide the history from javascript like this, why can't firefox do it by default?
This sort of exploit is especially useful for seeing if your visitors have been to your competitors websites. I notice that hostmonster website uses something similar to this to dynamically drop the price by $1 a month for their budget hosting if you've recently been to web hosting review websites.
Yahoo.com, El Reg, and StartPanic.com
All you really gotta do is set options in FF to remember nothing and to clear ALL private data at shut down. All of which appears to be the "new" stealth mode in FF 3.5.
It helps to run Ccleaner, Free Internet Window Washer, and Disk Cleaner on a schedule maybe once per day.
Sometimes it pays to be paranoid.
er, perhaps because adding sites to the Trusted Zone does FAR more than allow Javascript. I might want to let some gaming site run Javascript but that doesn't mean I trust it.
And by the way, what annoying yellow bar? noscript does no such thing - perhaps you have it misconfigured....
Even easier is to customise toolbar and take the "enable javascript" icon up there - simple to turn on and off whenever needed with just a mouse click - do the same with java and cookies etc. Firefox is better in this respect as it enables you to see all the scripts on a page - you may not want to enable them all under opera's blanket policy.
I ran it on IE8 under a fresh copy of Win7RC1 that I've had running for the last few days. Given that I imported my crap from my previous install, it should've had lots of trash to work with. (IE has my history from over 2 weeks ago.)
Instead the script took a minute or two to run, and then only popped up with 12 sites that I'd "visited". Two of which must be ad sites, since I've never even heard of them before. By comparison, IE's history says I've visited 11 sites today and 63 yesterday, 62 the day before and 54 the day before that.
Given that I don't have the greatest record for security practices, this is just pathetic really...
This hack has been around for years (the earliest reference I could find to it was 2005 in just a few minutes of searching). Has no one else realised that the registrant of "startpanic" is in Russia, and since they ask for your email address to "sign a petition", shouldn't this ring some very loud alarm bells?
A litte research shows that this hack is limited in what it can discover at best, and is at least restricted to finding sites from a limited list, and even then it's not very accurate.
This is hardly groundbreaking news or a huge security/privacy issue. It smells like a scam to collect email addresses to me and it really has no place in The Register
>>>>er, perhaps because adding sites to the Trusted Zone does FAR more than allow Javascript. I might want to let some gaming site run Javascript but that doesn't mean I trust it.
>>>>>And by the way, what annoying yellow bar? noscript does no such thing - perhaps you have it misconfigured....
As one who talks about how I "misconfigure" noscript, I could point you to the same thing - Beyond disabling protected mode (which is vista and win7 only anyway) the trusted sites list by default allows very little more than the normal zone does anyway. And guess what, everything it does or doesnt allow is... you got it, configurable.
And the yellow bar noscript displays is this one, taken from a screenshot on noscript's own website:
http://software.informaction.com/data/noscript/ss2.png
That bar is enabled by default and has to be explicitly hidden to remove, so quite how you can say there's no such thing is a mystery..
Frankly this whole thing is a non-story, sure it's something that'd be nice for the browser developers to prevent but that website is clearly just scaremongering over something that really isnt very much of a security hole atall, and is perfectly preventable in ALL browsers, hell in IE you dont even need to alter your security settings, as said above it's simply a case of browsing with InPrivate enabled.