[Nottingham] Websites know where you have been...
Mike Cardwell
nlug at lists.grepular.com
Sun May 2 10:19:03 UTC 2010
On 01/05/2010 14:13, Martin wrote:
> Folks,
>
> Yet another way that your web browsing life is recorded and divulged...
>
> This is a rather interesting exploit blocked for Firefox (that is still
> a vulnerability in all other browsers?) for the Beta2 release of
> Mandriva 2010.1:
>
> Firefox doesn't change the colour of visited links
>
> This option is disabled, in Mandriva, by default in Firefox-3.6 due to a
> privacy invading vulnerability where a web page can easily obtain info
> about users' browsing habits using a simple css or a javascript, using
> the "colour" status of ":visited" links. Note that this option wasn't
> available in Firefox versions older than 3.5.
>
> Links: https://bugzilla.mozilla.org/show_bug.cgi?id=147777
> http://support.mozilla.com/tiki-view_forum_thread.php?locale=hu&comments_parentId=438422&forumId=1
> http://davidwalsh.name/jquery-spyjax
>
> If you don't care about this vulnerability, you can revert this change
> by typing about:config in Firefox address bar then pressing Enter,
> search for layout.css.visited_links_enabled and double click it to
> change it to true.
>
> http://wiki.mandriva.com/en/2010.1_Errata#Firefox_doesn.27t_change_the_colour_of_visited_links
>
>
> Of concern? Worrying? Or are we all doomed in any case for however we
> use the web? Or just simply no worries?
This has been a known problem for quite some time. You don't even have
to use javascript, it can be done entirely within css. Eg:
a:visited {
background-image: url('/user-has-visited-website-foo');
}
There's a website which uses the trick to check if you've visited any
porn sites by testing shedloads of urls:
http://didyouwatchporn.com/
I use a Firefox addon named "Link Status" to prevent the problem.
--
Mike Cardwell - Perl/Java/Web developer, Linux admin, Email admin
Read my tech Blog - https://secure.grepular.com/
Follow me on Twitter - http://twitter.com/mickeyc
Hire me - http://cardwellit.com/ http://uk.linkedin.com/in/mikecardwell
More information about the Nottingham
mailing list