back to article Site schools world+dog in browsing history pilfering

A new website aims to draw increased attention to one of the web's longest-running privacy defects: The ability for any site owner to effortlessly steal a compete copy of your recent browsing history. As we've pointed out before, the problem is as old as the world wide web itself, and unless people take precautions, it …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Stop

    Odd...

    I tried it and it got 17 sites which it claims it all it could find but a quick check of my browser history shows over 30 unique sites. It couldn't work out I'd visited the BBC news site, or Groklaw or several other sites.

  2. Alex
    Stop

    No IE solution?

    >>> Indeed, Start Panic's snoop script was rendered impotent until NoScript was instructed to allow the site to run javascript. We're still dumbfounded Internet Explorer doesn't offer a similar capability.

    How about simply disabling javascript for the Internet zone and adding trusted sites on which you want to allow Javascript to the trusted sites list? Granted this is a new fangled feature that IE has only offered for the past decade or so and which unlike Noscript doesnt place an annoying yellow bar at the bottom of your browser, but it's exactly what Noscript does.

  3. LaeMi Qian
    Thumb Down

    Konqueror and Firefox on Kububtu

    Hmmm.

    Konqueror(4.2.2)'s javascript is so broken that the applet won't run properly. Security through interoperability, that is called ;-)

    Firefox(3.0.10) was only giving up the sites it had been to that session (Google [ my start page] and startpanic itself).

    ...

    A little trippy through my bookmarks menu and some random clicking off to side links from those places didn't seem to change the list of "I know everything" from the first two it displayed. So more like <Manuel>I know NOTHING</Manuel> from what I can see - I visited Google, Wowee, you can work out my whole life from that!

  4. LaeMi Qian
    Happy

    W00T! Got another

    After much hopping around I finally got it to acknowledge that I had been to Schlock Mercenary that session!!

    Do I win a prize?

  5. The Dorset Rambler
    Thumb Down

    Huh?

    Mine showed I'd been to startpanic.

    That was all.

    Awesome.

  6. Hywel Thomas

    Private Browsing

    I knew there was a good reason for having private browsing turned on. (Other than it being embarrassing if the Top Sites previews show NSFW content)

  7. LaeMi Qian

    Finally got a bit of a list up.

    Boy it was an effort:

    * startpanic.com

    * fav Darths & Droids

    * fav Schlock Mercenary, the Online Comi...

    * fav Home of Gibson Researc...

    * fav LinuxDevices.com -- All About Linu...

    * fav Compare prices - Australia - Pric...

    * fav The Register: Sci/Tech News for th...

    * fav AnandTech: your source for hardwar...

    * fav Science news and science jobs from...

    * fav Virtual worlds, avatars, 3D chat, ...

    * fav Tom's Hardware: Hardware News, Tes...

    That is from visiting over 50 sites: it is VERY hit-and-miss! I am very much wondering just what the criteria is for a site to be stored in such a way that it can be read out of the history cache while others are not?????

  8. Anonymous Coward
    IT Angle

    1 For Me

    It only shows one for me. Not running NoScript and thats just their site.

  9. Anonymous Coward
    Alert

    Seemed to work pretty well, but took forever...

    ...and I had to let NoScript give the site permission. It seemed to give up after displaying 15 sites I'd visited.

  10. Pete

    that is fascinating

    it doesn't grab my whole browsing history, what it misses is just as interesting as what it includes, but it does grab sites I opened in distinct separate tabs, I can't quite see the logic behind what it displays and what it misses?

    Still, I am quite upset this info is available for them that knows to be able to see,

    (for picky buggers I am running the latest V of Opera on Linux)

  11. Jonathan McColl

    MS terribler than the others?

    Start Panic figured out ten of the eleven sites I'd visited since midnight when I have IE8 set to erase the history every 24 hours. I don't know why it didn't notice Scroogle though. Then I tried a few with the InPrivate setting and it didn't see them either. Yes it's all very bad, but IE isn't quite as hopeless as you suggest.

  12. Tom
    Unhappy

    Panic buttin hit...but

    A no return of any information revealed by startpanic.

    This result gives me that little bit of added confidence that my constant use of Noscritp and sole use of Firefox is the right way to go until browsers have a built in facility to prevent sites from collecting the extentsive browsing data about me without my explicit permission.

    In addition to using Noscript, I also ensure that the browser does not have the permission to collect 3rd party cookies, and that all data is cleared when I clear the browser, in addition to having google as a start page for all sites I head over too.

    In adding to being responsible, I even went to the extent of removing google anylytics & statcounter from a couple of websites I co-own, albeit, the inbuilt server stats and logs could still be activated and accessed but we don't feel it necessary or appropriate to sit and seive through data.

    I have decided not to sign the petition though, furthermore it would also seem inappropriate that the startpanic site allows you to be emailed of what other people are browsing, well that's my thoughts on the matter.

  13. system

    RE: Odd...

    It works through CSS and JS, checking which links would show as having been visited rather than actually reading your history.

    A list of the sites checked is at http://startpanic.com/db/db_en.txt and a readable code example of the technique is at http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

  14. Anonymous Coward
    Thumb Up

    That porn site (or three) you visted last week...

    I have History disabled in Firefox, and have done the same in every browser I've ever used. It's not a feature I've ever needed or wanted, personally. The security and privacy issues are too significant for a feature I'm betting many people rarely, if ever, use.

  15. dave

    Not really that impressed

    I use IE8, and make no particular attempt to hide or clean my browsing history - granted, it contains a few references to Redtube, but as a 30 year old bloke, I'm not ashamed to admit to looking at the odd bit of porn.

    This site identified a less-than-impressive two sites I'd visited - one was theirs (well, duh), and the other was badscience.net.

    So where are all the others? I've visited hundreds since I last cleaned the history...

  16. Scott
    Stop

    Easily defeated?

    Hmmmmm, I'm not exactly a genius but it didn't pull up anything for me. I got a messge saying Ready now? and then Correct? with nothing else showing?

    I have, however, run Firefox with the following configuration:

    AdBlocker

    0 day history

    No saved passwords

    No third party cookies

    Cookies kept only until I close Firefox

    Deleting all personal data when I close Firefox

    This behavior mystifies my 20 something co-worker who can't understand why I don't have all the social networking website plugged into my browser with automatic login. Aside from I refuse to Twitter I got tired of explaining that even if you can keep someone else from using your computer that if that nugget is ever hacked you're SOL. As for this website I think the lack of anything in the cache was what caught it. Then again maybe I got it on a bad day.

    However I'm sure the let's-download-every-little-bauble crowd will have lots of interesting stuff show on their scans.....

  17. John Tserkezis

    I didn't do it.

    Among some sites I visited, it listed only a small portion of what I really did visit.

    Of those listed, it had many "Free" SMS sites, Advertising, and porn sites listed.

    I'm maintaining my innocence and saying "I didn't do it".

  18. Anonymous Coward
    Anonymous Coward

    ditto Scott

    Same as Scott -- security levels set to what any reasonable person would want.

    Result: blank page.

  19. spam

    For the curious

    Here's the list of sites it uses to check visited status against:

    http://startpanic.com/db/db_en.txt

    It can't detect sites that are not on this list.

  20. Steve

    Can't even find my current pages, nevermind history

    It only found three sites and I had four tabs open in Firefox.

    The site it didn't find was hsx.com and I know for a fact that I've got a cookie for that site.

  21. Frank

    Head in the sand

    Do your surfing in a sandbox: http://www.sandboxie.com/

    You have to clean between your toes and other places when you've finished, but your hard drive contents are not altered.

  22. Anonymous Coward
    Anonymous Coward

    NoScript no help?

    Found six sites for me, and I am using both NoScript and Adblock Plus, as well as clearing history and so on when closing Firefox.

    Petition for the internet to be cleaned up? Hey, I did my bit to change the world in the sixties, and now look at it.

  23. Chronos
    Thumb Up

    @Scott

    Genius or not, that'll do the trick nicely. I always set browsers up in this way myself and got the same results from Startpanic [1] with three other tabs open on different sites, El Reg being one of them. Not so much a vulnerability, rather the browser developers pandering to the trackers and ad pimps. Those of us savvy enough will plug this hole (and a few others such as pre-fetching) as a matter of course.

    [1] Well, it did detect that I was visiting their site. Big, fat, hairy deal. NoScript in global allow mode to give it a sporting chance, natch.

  24. system

    Javascript

    This can actually be run without javascript, meaning that noscript will not protect you. http://ha.ckers.org/weird/CSS-history.cgi then click the link underneath to see that your visited sites are logged. Although that list only checks 6 sites, there's no reason it couldn't be combined with the 10,000 from startpanic.

    The only thing in firefox that could protect you from this is the safehistory plugin, as it stops links being highlighted as visited unless you have followed that link from the linking domain before.

  25. Anonymous Coward
    Pirate

    AhAh

    All it does is checks against its list of domains.,The css sets the page's visisted links to a differnt colour. And rpobibly a differnt tag. And the JS scrapes the data.

  26. Christian Vest Hansen
    Boffin

    Not "every website" in browsing history

    "a website that demonstrates just how easy it is for a webmaster to detect every website contained in your browser history."

    It cannot detect every website or URL in your browsing history. It loads a long list of domain names, such as http://startpanic.com/db/db_en.txt, and then creates a hidden iframe that contains various links built from those domain names. Then it checks the computed style attributes on those links to see which have been visited.

    So, it may detect that you have been to youtube, but it has no way to tell which videos you saw or how many.

  27. Irate BT User
    Coat

    What History?

    Just disabled my Firewall (only Windows Firewall active) , Ad Blocking Software & I still only get the

    startpanic Website?

    Mind you this Website doesn't employ any external Advertisements either does it? :)

    "Layered Defenses" against Third Party Websites :)

  28. Robert Simmons
    Stop

    Not on Safari 4...

    This is probably entirely unlinked, but if you attempt to use the startpanic site in Safari - it causes the app to crash....

    A new level of protection from Apple perhaps? "We don't like some of the sites you've visited so we're not even going to show them"?

    No - most likely another bug. ;-)

  29. Anonymous Coward
    Stop

    Re: Not "every website" in browsing history

    @Christian Vest Hansen

    Thanks for explaining that, so it can only find websites that I've visited that IT knows about. So its really a semi brute force dictionary attack on my browser looking for matching URLs.

    So not really very impressive after all and it would explain why it didn't pick up on some of the sites I'd visited because they are not in their list in that file.

    Now if it could tell I'd been to naughtynuns . com without knowing about the site and it didn't take 5 minutes to work that out, I'd be impressed, but as it is I don't think I'll be erasing my browsing history and worrying that third party websites will be able to work out just where I've been.

  30. Mel
    Dead Vulture

    Who needs noscript

    If you want to restrict javascript in Opera or IE -

    Restricting javascript in Opera is easy enough:- Tools->preferences->advanced->content, and untick enable javascript. Then if you wish to allow javascript on the site you are visiting: Rightclick ->Edit site preferences->scripting->enable javascript. Simples!

    Restricting it in Internet Explorer is slightly more complicated: you need to adjust the settings for IE's trusted sites down to the same level as the internet zone (medium-low), then either increase the internet zone level, or customise it to disable scripting. Javascript will then only run on sites that you add to the trusted zone.

    These "history pilfering" scripts exploit the fact that browsers render visited links in a different colour. They add to the page whatever urls they wish to check so that they can inspect the rendered colour, which reveals if the URL is visited or unvisited.

    Disabling javascript breaks too much of the web for me, but it would be nice if the browser developers fixed their browsers so that the unvisited link colour was always returned.

  31. Jeremy
    Happy

    Not that interesting to be honest

    I mean, it's not really a hack or even pilfering, is it? It's just using the DOM for one of the things it was meant for - inspecting the styles of page elements.

    Start Panic is reliant on the script knowing the specific URIs it wants to check and second, it can't determine *what* you did on each site it detects. For example, it can detect that you've been to http://www.google.com/ but it can't detect that you've been to http://www.google.com/search?q=something+naughty unless it specifically checks for that precise term. Given how many variations there can be on Google search URIs that give the same results, and that you'd then have to check the history for all those possible URI variations and then do the same for each TLD Google operates under, it'd take forever.

    To be even relatively sure that you'd scanned the user's history accurately for even one search term, you'd probably have to probe the history hundreds if not thousands of times. It's hardly worth the effort, is it?

    Come back when someone comes up with JS code to automatically extract all visits to http://www.google.com/* from the history. That will be news but of course, it will never happen (well, maybe in IE...)

  32. Anonymous Coward
    Heart

    SafeHistory

    I used to use the SafeHistory firefox plugin after reading about this issue previously on the register. Unfortunately that plugin hasn't been updated for firefox 3, but hopefully someone else will make a new plugin that does the same.

    What I don't understand is if the safehistory plugin can hide the history from javascript like this, why can't firefox do it by default?

    This sort of exploit is especially useful for seeing if your visitors have been to your competitors websites. I notice that hostmonster website uses something similar to this to dynamically drop the price by $1 a month for their budget hosting if you've recently been to web hosting review websites.

  33. Havin_it
    Dead Vulture

    Misleading

    It doesn't "know" where you've been. It knows *whether* you've been to any of the sites in some list they came up with.

    I am disgusted with El Reg and am deleting you from my history cache!

  34. Anonymous Coward
    Pirate

    Don't Panic

    Startpanic.com name is registered in Saint-Petersburg Russia, registrant is in Minsk Belarus, site hosted on Amazon's Elastic Compute Cloud in the US.

    Shields up, ready the Transphasic torpedoes

  35. Doug Glass
    Go

    Found Three Sites

    Yahoo.com, El Reg, and StartPanic.com

    All you really gotta do is set options in FF to remember nothing and to clear ALL private data at shut down. All of which appears to be the "new" stealth mode in FF 3.5.

    It helps to run Ccleaner, Free Internet Window Washer, and Disk Cleaner on a schedule maybe once per day.

    Sometimes it pays to be paranoid.

  36. Anonymous Coward
    Happy

    @Alex - ie solution - not

    er, perhaps because adding sites to the Trusted Zone does FAR more than allow Javascript. I might want to let some gaming site run Javascript but that doesn't mean I trust it.

    And by the way, what annoying yellow bar? noscript does no such thing - perhaps you have it misconfigured....

  37. Anonymous Coward
    Anonymous Coward

    @ Mel wrt Opera javascript

    Even easier is to customise toolbar and take the "enable javascript" icon up there - simple to turn on and off whenever needed with just a mouse click - do the same with java and cookies etc. Firefox is better in this respect as it enables you to see all the scripts on a page - you may not want to enable them all under opera's blanket policy.

  38. pctechxp

    much ado about nothing

    simply use firefox and set it to purge all personal info when closed automatically.

    No troublessome add ons required

    And for added security run it in a sandbox using something like sandboxie, sorted!

  39. Anonymous Coward
    Thumb Down

    Pathetic, really....

    I ran it on IE8 under a fresh copy of Win7RC1 that I've had running for the last few days. Given that I imported my crap from my previous install, it should've had lots of trash to work with. (IE has my history from over 2 weeks ago.)

    Instead the script took a minute or two to run, and then only popped up with 12 sites that I'd "visited". Two of which must be ad sites, since I've never even heard of them before. By comparison, IE's history says I've visited 11 sites today and 63 yesterday, 62 the day before and 54 the day before that.

    Given that I don't have the greatest record for security practices, this is just pathetic really...

  40. John Shaw
    Thumb Down

    Mr

    This hack has been around for years (the earliest reference I could find to it was 2005 in just a few minutes of searching). Has no one else realised that the registrant of "startpanic" is in Russia, and since they ask for your email address to "sign a petition", shouldn't this ring some very loud alarm bells?

    A litte research shows that this hack is limited in what it can discover at best, and is at least restricted to finding sites from a limited list, and even then it's not very accurate.

    This is hardly groundbreaking news or a huge security/privacy issue. It smells like a scam to collect email addresses to me and it really has no place in The Register

  41. Rich
    Thumb Down

    Firefox is open source

    The guys who built StartPanic.com could stop whinging, download the source and make a fix. (Like making it impossible for script to discover link highlight states).

  42. Anonymous Coward
    Stop

    www.flubblyjubblies.com

    I never visited THAT site!

  43. Colin Millar

    I see a master local CSS plug in coming

    :link, :visited { color: blue; }

    I always hated that fecking default purple anyway - vlink coloring is for obsessive-compulsive listers

  44. Alex
    Unhappy

    @AC 10:50 10/05/2009

    >>>>er, perhaps because adding sites to the Trusted Zone does FAR more than allow Javascript. I might want to let some gaming site run Javascript but that doesn't mean I trust it.

    >>>>>And by the way, what annoying yellow bar? noscript does no such thing - perhaps you have it misconfigured....

    As one who talks about how I "misconfigure" noscript, I could point you to the same thing - Beyond disabling protected mode (which is vista and win7 only anyway) the trusted sites list by default allows very little more than the normal zone does anyway. And guess what, everything it does or doesnt allow is... you got it, configurable.

    And the yellow bar noscript displays is this one, taken from a screenshot on noscript's own website:

    http://software.informaction.com/data/noscript/ss2.png

    That bar is enabled by default and has to be explicitly hidden to remove, so quite how you can say there's no such thing is a mystery..

    Frankly this whole thing is a non-story, sure it's something that'd be nice for the browser developers to prevent but that website is clearly just scaremongering over something that really isnt very much of a security hole atall, and is perfectly preventable in ALL browsers, hell in IE you dont even need to alter your security settings, as said above it's simply a case of browsing with InPrivate enabled.

  45. jon
    IT Angle

    Meanwhile on the other side of the screen..

    I hope that I'm not the only one here who knows that there is a CGI version of this exploit.

  46. Anonymous Coward
    Anonymous Coward

    Alternative/better version of dontpanic

    http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php

    I think it's better anyway - doesn't make my browser hang for half an hour like DP does

This topic is closed for new posts.

Other stories you might like