1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSS History Exploit Plugged?

Discussion in 'Black Hat SEO' started by applebutton, Nov 16, 2010.

  1. applebutton

    applebutton Newbie

    Joined:
    Apr 23, 2008
    Messages:
    32
    Likes Received:
    4
    For a long time now there has been a CSS trick in which you could use CSS to find what websites a visitor to your site has in their history.

    An example of the code which does this can be found here: https://www.indiana.edu/~phishing/browser-recon/

    Obviously there are both white hat and black hat uses for this. However, now Safari and Chrome have blocked this by limiting what can be loaded from the CSS visited tag

    Here is an article on Safari plugging the CSS history trick: http://www.theregister.co.uk/2010/06/08/safari_history_leak_fix/

    And here is one on Firefox about to do the same: http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

    It seems to be that since the browsers will still allow you to change visited links colors there should be some workaround for this. Does anyone have any ideas?
     
  2. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Mozilla has been talking about this for almost a year now and they have yet to do anything about it. Microsoft doesn't seem to give a shit about it either. For whatever reasons, the two big guys on the block seem to be hesitant to fix this.
     
  3. applebutton

    applebutton Newbie

    Joined:
    Apr 23, 2008
    Messages:
    32
    Likes Received:
    4
    Yeah Mozilla is taking their time getting the fix out, but in that article I linked they say Firefox 4 will have the changes in it. That is going to leave just IE.

    I believe the way they are blocking it is by not allowing the CSS to run a background script and by communicating to Java Script that all links are unvisited. How they are doing that I don't know.

    Maybe a Java Script expert could tell me if there is a way for Java Script to look at a page and see what links are different colors?