Skip to navigation

malevolent design weblog

This blog is now defunct, but you can find more stuff over at my personal site

They Know Where You Browse

Did you realise that for years people have been aware that web sites can detect which pages you’ve previously visited, and this privacy hole is still unpatched in all major browsers? Shocking, eh? Give it a try.

It’s a fiendishly simple information leak. Browsers treat visited links differently, with CSS allowing styling through a:visited, but this gives the game away. By cleverly styling a long list of links to different sites, then detecting this styling with JavaScript, a page can secretly grab your browser history and send it back to the server. Some advertisers must salivate uncontrollably at the mere thought of unleashing such power.

The thing is, there’s no way around it without either abandoning the whole idea of visited links, or disabling/crippling JavaScript (many of those commenting on the Mozilla bug report haven’t fully understood how wide-ranging a fix would need to be). So it’s not so shocking; as happens so often with security issues, we’re accepting a minor problem rather than suffering an inconvenient solution.


Comments are now closed for this entry.