Revisiting History Sniffing

Posted on by Eric Morinaga

As some of our readers are well aware, last year many leading browsers finally closed a major privacy hole involving browser history that has been around for more than ten years.  Essentially, would-be trackers used JavaScripts to scan links with functions like getComputedStyle() to determine whether each hyperlink was styled as a visited site or unvisited (e.g. visited links are often purple and unvisited are blue).  This practice represents a serious threat, since not only can stints of browsing history be logged, but individual users can be tracked and identified with ease (this is one of several ways you can be tracked without cookies).  Since this practice of changing styles for visited links has been around since the early days of web browsing, Mozilla, Google, and other browser competitors worked hard last year to maintain the functionality while plugging up this age-old privacy concern.

A recent endeavor at Stanford University’s Security Lab found more sobering information on the reach and capability currently employed by trackers such as Epic Marketplace (formerly known as Traffic Marketplace).  The lab found that the scripts used on affected sites were very fast and loaded thousands of links in invisible iframes so few users would ever notice them.  Whenever the browser window closed, the scripts sent off their findings and also stored their progress in scanning links with a cookie.  In order to avoid having parallel scripts run concurrently and slowing down the process, some even used some semaphore-like cookies to start and stop.   By scanning thousands of hidden links, these scripts could quickly develop a comprehensive history of browsing, and the lab found that these links ranged from eBay listings to health clinics, a serious privacy concern.

While most browsers have worked to minimize this history sniffing issue, it is estimated that at least half of all Internet users are still quite vulnerable simply because many do not update their browsers on a regular basis.  Some affected users can also reduce this problem by setting their browsers to automatically clear all history whenever they end their session or by always running incognito/private browsing mode.  Of course, you can obviate any JavaScript attacks (history sniffing or otherwise) by disabling all scripts from running with extensions like NoScript for Firefox.  If you have an outdated browser (for testing purposes, right?), you can see a history sniffing script in action at StartPanic.com (The petition there is now obsolete since browsers have updated).   Given the extent of current history-stealing scripts found at Stanford’s lab, it is crucial to remain as up to date as you can on browser patches.  Remember that there are many ways to be tracked that do not involve cookies.