Turns out that this CSS exploit has been known for a very long time
(reported on Firefox in 2002), and remains unresolved [1]. It does have
serious implications: The more you know about the user, the easier it is
to con them [2], or perhaps you'd like to sound out your visitors'
political inclinations [4].
Simple exploits are provided by Markus Jakobsson [2] and Daniel Tsadok
[3]. For a bit of good, honest fun, see how delicious.com users have
tagged your browsing history [5].
1. https://bugzilla.mozilla.org/show_bug.cgi?id=147777
2. https://www.indiana.edu/~phishing/browser-recon/
3. http://yodayid.blogspot.com/2006/08/css-exploit.html
4. http://petewarden.typepad.com/searchbrowser/2008/08/can-i-guess-you.html
5. http://petewarden.typepad.com/searchbrowser/2008/08/a-tag-cloud-for.html
Yup. Security is difficult. Every little feature opens new opportunities
for exploits.
Gabriella Turek wrote:
http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/
=======================================================================
This email, including any attachments, is only for the intended
addressee. It is subject to copyright, is confidential and may be
the subject of legal or other privilege, none of which is waived or
lost by reason of this transmission.
If the receiver is not the intended addressee, please accept our
apologies, notify us by return, delete all copies and perform no
other act on the email.
Unfortunately, we cannot warrant that the email has not been
altered or corrupted during transmission.
=======================================================================
