[thelist] Interesting new Browser history sniffing trick

Lee kowalkowski lee.kowalkowski at googlemail.com
Tue Aug 22 16:19:53 CDT 2006


On 22/08/06, Christian Heilmann <codepo8 at gmail.com> wrote:
> Now, Jeremiah Grossman found a way around that:
> http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

Very nice indeed, but not *quite* finding a way to get the URLs out of
the browser window (session) history.

This lists hand-picked URLs that the user has visited since the
relevant cache was cleared / purged, but depending on the attacker's
goal, this is even better, because it has a higher chance of
qualifying a victim.

1/ Detect customer of banking corp.  2/ Display interesting article
containing a link to the said bank about anything that would encourage
the reader to follow it, e.g. Free MP3 player if you're current
balance ends in ".93".  3/ Present fake/proxy login page.

Scary.

-- 
LK



More information about the thelist mailing list