[thelist] Interesting new Browser history sniffing trick
Christian Heilmann
codepo8 at gmail.com
Tue Aug 22 05:11:20 CDT 2006
You can read out the window's browsing history via the history object,
but browser security settings prevent you from reading out the URLs,
all it allows you is to read how many pages are in there and send the
user forward and backward via history.go().
Now, Jeremiah Grossman found a way around that:
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
What he does is take an array of links, set a style for visited links
and writes them out to the page. He then compares the computed colour
of the links with the one defined in the style and thusly determines
that they are visited.
His example doesn't work in MSIE though.
Mine does, as I am using height and offsetHeight:
http://icant.co.uk/sandbox/nickhistory.html
The only browser that doesn't work is Opera.
This is a security concern, however, not as bad as you might think it
is, as it is trial and error to guess full urls and banking urls are
unique to the session anyways. What it allows you a lot easier though
is phishing, as you could pop up a window with a logo of the bank that
is in your history to ask for your details. As newer browsers will
display the real location in the popup this is harder to spoof,
however you can still fake a popup with a layer ad.
--
Chris Heilmann
Book: http://www.beginningjavascript.com
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/
More information about the thelist
mailing list