Saturday, December 4, 2010

Browser Privacy: CSS History Sniffing In the Wild

Via (The Not-So-Private Parts Blog) -

YouPorn is one of the most popular sites on the Web, with an Alexa ranking of 61. Those who visit the homemade-porn featuring site — essentially, a YouTube for porn enthusiasts — are subject to scrutiny, though, of the Web tracking variety. When a visitor surfs into the YouPorn homepage, a script running on the website checks to see what other porn sites that person has been to.

How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography.*

The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

The popular finance website Morningstar was one of those that made the list of sites that run the script to check to see where else their visitors have been; its site checked to see if someone has been to, Edmunds, and 46 others.


The researchers who wrote the paper identifying this practice call it “history hijacking” or “history sniffing.” Mozilla, the foundation behind Web browser Firefox, calls it the “CSS: visited history bug.” It’s a bug that’s been discussed in developer circles for over a decade. Some browsers have fixed the bug. If you’re surfing using Chrome or Safari, this script doesn’t work. Firefox has fixed it in its newest version (v4 Betas). Internet Explorer, the most popular browser out there, is vulnerable to the history sniffing (though you can prevent it by going through the slightly onerous step of activating InPrivate Browsing, according to a spokesperson. That feature also blocks ad networks’ cookies, reports Business Insider.)


YouPorn Sued for Sniffing Browser History

A site for sharing pornographic content is the target of a lawsuit accusing it of improperly checking what other Web sites visitors had used.

Defendants David Pitner and Jared Reagan, both of Newport Beach, Calif., accuse YouPorn operator Midstream Media of the Netherlands of violating the U.S. Computer Fraud and Abuse Act and California's computer crime law; of engaging in deceptive and unfair business practices; and of unlawful and unfair competition.

The suit, filed Friday in U.S. District Court for the central district of California, accuses YouPorn of, among other things, "intentionally accessing plaintiffs'...computers without authorization." The plaintiffs are seeking class-action status, an injunction to stop the history sniffing practice, and payment for damages.


CSS History Sniffing - PoC


According to Jeremiah Grossman, the following browsers contain fixes for the CSS History Sniffing bug:
  • Firefox 4 (currently beta)
  • Google Chrome 8
  • Internet Explorer 9 (currently beta, Windows XP not supported)
  • Apple Safari 5

No comments:

Post a Comment