Browser History Sniffing Is Back

Discussion in 'privacy problems' started by marktor, Dec 4, 2011.

Thread Status:
Not open for further replies.
  1. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Interesting post at Slashdot:

    You can checkout if your browser is affected here: http://lcamtuf.coredump.cx/cachetime/

    It seems to require java so noscript users that have java disabled are safe. This seems to only look for certain websites in a list. I wonder if there is anyway this could be used to view your entire web history? Also this exploit only shows what sites have been visited in your cache. So if you have your browser set to clear the cache on exit it will only show the sites you visited this session.
     
    Last edited: Dec 5, 2011
  2. Digizik

    Digizik Registered Member

    Joined:
    Oct 28, 2011
    Posts:
    15
    thank you for the link! my browser history/ cache is safe! :D
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Doesn't seem to require Java for Chrome.

    EDIT: By design it has to try to look for specific sites - it can't just get all of them.
     
    Last edited: Dec 4, 2011
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ marktor

    Thanks for posting :thumb:

    Tested with IE6 & FF v3.6.14 after clearing my cache, & then ...

    Even though i visited the BBC to test, i did NOT visit Facebook or Twitter directly. The BBC has pages at both www's.

    So from what i could observe/gather, it "seems" as if a mixture of other mechanisms "might" be involved as well as CSS, such as Scripting/Java/Requests. Both www's "seemingly" using different approaches to try & achieve their aim.

    I don't have Java, & i tested with Scripting/Requests both disabled & enabled.

    ffpocns.gif

    ffpocSC.gif

    Also the other test linked to on there http://oxplot.github.com/visipisi/visipisi.html

    oxie6poc-scr.gif

    oxiFFpoc-scr.gif
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's definitely iffy at best and I'm not too worried.
     
  6. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Not Java, but javascript. At least that's what I gathered from the comments over @ slashdot.
     
  7. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    That wasnt too reliable when i went to it (Showed sites i hadnt been to,etc)

    This page only listed 3 sites i went to (There was over 20 in my history)

    http://wtikay.com/all
     
Loading...
Thread Status:
Not open for further replies.