lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALx_OUB8A+sAbkCip6fvvXnLRMvHE-KaLJzHRTYV8XE1=MvjKw@mail.gmail.com>
Date: Sun, 5 May 2013 17:43:24 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: websecurity@...appsec.org, 
 full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Using CSS :visited to steal your history (again,
	zzzz...)

I guess this may be somewhat amusing...

As you probably know, most browser vendors have fixed the ability to
enumerate your browsing history through the CSS :visited
pseudo-selector. The fix severely constraints the styling possible for
visited links, and hides it from APIs such as
window.getComputedStyle() [1].

The fix does not prevent attackers from extracting similar information
through cache timing [2], or by examining onerror / onload events for
scripts and images loaded from sites to which you may be logged in.
Nevertheless, the :visited attack is particularly versatile and
reliable, so several people have tried to circumvent the fix by
showing the user a set of hyperlinked snippets of text that, depending
on the browsing history, will blend with the background or remain
visible on the screen. Their visibility can be then indirectly
measured by seeing how the user interacts with the page.

The problem with these attacks is that they are either unrealistic, or
extremely low-throughput. So, here is a slightly more interesting
entry for this contest. The PoC works in Chrome and Firefox, but
should be easily portable to other browsers:

http://lcamtuf.coredump.cx/yahh/

The basic idea behind this inferior clone of Asteroids is that we hurl
a lot of link-based "asteroids" toward your spaceship, but you only
see (and take down) the ones that correspond to the sites you have
visited. There are several tricks to maintain immersion, including
some proportion of "real" asteroids that the application is sure are
visible to you. The approach is easily scalable to hundreds or
thousands of URLs that can be tested very quickly, as discussed here:

http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-fun-with-css.html

Captain Obvious signing off,
/mz

[1] https://developer.mozilla.org/en-US/docs/CSS/:visited
[2] http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ