[Nottingham] Websites know where you have been...

Mike Cardwell nlug at lists.grepular.com
Sun May 2 10:19:03 UTC 2010


On 01/05/2010 14:13, Martin wrote:

> Folks,
> 
> Yet another way that your web browsing life is recorded and divulged...
> 
> This is a rather interesting exploit blocked for Firefox (that is still
> a vulnerability in all other browsers?) for the Beta2 release of
> Mandriva 2010.1:
> 
>   Firefox doesn't change the colour of visited links
> 
> This option is disabled, in Mandriva, by default in Firefox-3.6 due to a
> privacy invading vulnerability where a web page can easily obtain info
> about users' browsing habits using a simple css or a javascript, using
> the "colour" status of ":visited" links. Note that this option wasn't
> available in Firefox versions older than 3.5.
> 
> Links: https://bugzilla.mozilla.org/show_bug.cgi?id=147777
> http://support.mozilla.com/tiki-view_forum_thread.php?locale=hu&comments_parentId=438422&forumId=1
> http://davidwalsh.name/jquery-spyjax
> 
> If you don't care about this vulnerability, you can revert this change
> by typing about:config in Firefox address bar then pressing Enter,
> search for layout.css.visited_links_enabled and double click it to
> change it to true.
> 
> http://wiki.mandriva.com/en/2010.1_Errata#Firefox_doesn.27t_change_the_colour_of_visited_links
> 
> 
> Of concern? Worrying? Or are we all doomed in any case for however we
> use the web? Or just simply no worries?

This has been a known problem for quite some time. You don't even have
to use javascript, it can be done entirely within css. Eg:

a:visited {
   background-image: url('/user-has-visited-website-foo');
}

There's a website which uses the trick to check if you've visited any
porn sites by testing shedloads of urls:

http://didyouwatchporn.com/

I use a Firefox addon named "Link Status" to prevent the problem.

-- 
Mike Cardwell - Perl/Java/Web developer, Linux admin, Email admin
Read my tech Blog -              https://secure.grepular.com/
Follow me on Twitter -           http://twitter.com/mickeyc
Hire me - http://cardwellit.com/ http://uk.linkedin.com/in/mikecardwell



More information about the Nottingham mailing list