[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEW7ACmdCVfDYR8NTfYgJN5Z6ZwLg8sRXD81aUmAwTiVHVBLyQ@mail.gmail.com>
Date: Sun, 5 May 2013 19:13:12 -0700
From: Dan Kaminsky <dan@...para.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
websecurity@...appsec.org
Subject: Re: Using CSS :visited to steal your history
(again, zzzz...)
...you are a magnificent bastard.
On Sun, May 5, 2013 at 5:43 PM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
> I guess this may be somewhat amusing...
>
> As you probably know, most browser vendors have fixed the ability to
> enumerate your browsing history through the CSS :visited
> pseudo-selector. The fix severely constraints the styling possible for
> visited links, and hides it from APIs such as
> window.getComputedStyle() [1].
>
> The fix does not prevent attackers from extracting similar information
> through cache timing [2], or by examining onerror / onload events for
> scripts and images loaded from sites to which you may be logged in.
> Nevertheless, the :visited attack is particularly versatile and
> reliable, so several people have tried to circumvent the fix by
> showing the user a set of hyperlinked snippets of text that, depending
> on the browsing history, will blend with the background or remain
> visible on the screen. Their visibility can be then indirectly
> measured by seeing how the user interacts with the page.
>
> The problem with these attacks is that they are either unrealistic, or
> extremely low-throughput. So, here is a slightly more interesting
> entry for this contest. The PoC works in Chrome and Firefox, but
> should be easily portable to other browsers:
>
> http://lcamtuf.coredump.cx/yahh/
>
> The basic idea behind this inferior clone of Asteroids is that we hurl
> a lot of link-based "asteroids" toward your spaceship, but you only
> see (and take down) the ones that correspond to the sites you have
> visited. There are several tricks to maintain immersion, including
> some proportion of "real" asteroids that the application is sure are
> visible to you. The approach is easily scalable to hundreds or
> thousands of URLs that can be tested very quickly, as discussed here:
>
>
> http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-fun-with-css.html
>
> Captain Obvious signing off,
> /mz
>
> [1] https://developer.mozilla.org/en-US/docs/CSS/:visited
> [2]
> http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists