...you are a magnificent bastard.
On Sun, May 5, 2013 at 5:43 PM, Michal Zalewski <[email protected]> wrote: > I guess this may be somewhat amusing... > > As you probably know, most browser vendors have fixed the ability to > enumerate your browsing history through the CSS :visited > pseudo-selector. The fix severely constraints the styling possible for > visited links, and hides it from APIs such as > window.getComputedStyle() [1]. > > The fix does not prevent attackers from extracting similar information > through cache timing [2], or by examining onerror / onload events for > scripts and images loaded from sites to which you may be logged in. > Nevertheless, the :visited attack is particularly versatile and > reliable, so several people have tried to circumvent the fix by > showing the user a set of hyperlinked snippets of text that, depending > on the browsing history, will blend with the background or remain > visible on the screen. Their visibility can be then indirectly > measured by seeing how the user interacts with the page. > > The problem with these attacks is that they are either unrealistic, or > extremely low-throughput. So, here is a slightly more interesting > entry for this contest. The PoC works in Chrome and Firefox, but > should be easily portable to other browsers: > > http://lcamtuf.coredump.cx/yahh/ > > The basic idea behind this inferior clone of Asteroids is that we hurl > a lot of link-based "asteroids" toward your spaceship, but you only > see (and take down) the ones that correspond to the sites you have > visited. There are several tricks to maintain immersion, including > some proportion of "real" asteroids that the application is sure are > visible to you. The approach is easily scalable to hundreds or > thousands of URLs that can be tested very quickly, as discussed here: > > > http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-fun-with-css.html > > Captain Obvious signing off, > /mz > > [1] https://developer.mozilla.org/en-US/docs/CSS/:visited > [2] > http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
