Feeds

Most browsers silently expose intimate viewing habits

Zip codes, news articles, free for the taking

The Power of One eBook: Top reasons to choose HP BladeSystem

The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms.

According to results collected from more than 271,000 visits to a site called What the internet knows about you, 76 percent of users exposed their browser histories, with the proportion of those using Apple's Safari and Google Chrome browsers even higher. Surprisingly, the percentage was also higher among browsers that turned off JavaScript.

While the underlying browser history disclosure vulnerability was disclosed a decade ago, researchers on Thursday disclosed a variety of techniques that make attacks much more efficient. Among other things, the researchers described an algorithm that can scan as many as 30,000 links per second. That makes it possible for webmasters to stealthily gobble up huge amounts of information within seconds of someone visiting their site.

What's more, the researchers showed how webmasters can launch attacks that detect Zip Codes entered into weather or movie listings sites, find search terms entered into Google and Bing, and discover specific articles viewed on Wikileaks and dozens of popular news sites.

"While limited in scope due to resource limitations, our results indicate that history detection can be practically used to uncover private, user-supplied information from certain web forms for a considerable number of internet users and can lead to targeted attacks against the users of particular websites," the researchers, Artur Janc and Lukasz Olejnik, wrote.

The results, presented at the Web 2.0 Security and Privacy conference in Oakland, California, are the latest convincing evidence that anonymity on the net is largely a myth. Separate research released earlier this week showed that 84 percent of browser users leave digital fingerprints that can uniquely identify them. It stands to reason that attacks that combine both methods could unearth even more information most presume is private.

Last month, Mozilla said it would add protections to its upcoming Firefox 4 that would plug the gaping information disclosure vulnerability, which is known to plague every major browser. Most browser publishers, Microsoft included, have offered a variety of workarounds, but have said fixing the weakness will be extremely difficult because it's at the core of the HTTP standard.

To exploit the history-pilfering weakness, webmasters must compare a victim's HTTP response code against a list of specific web addresses, a requirement many have long said limited the effectiveness of practical attacks. Janc and Olejnik's streamlined method largely sidesteps this shortcoming by checking users against an initial list of the 6,417 most poplar internet addresses. A second list then scans for visits to specific pages on any of the websites found during the primary check.

The list on secondary links was drawn from a host of sources, including searches designed to enumerate every known page within a given domain. When one of 80 news sites was detected, the algorithm queried recent RSS feeds to detect specific articles the end user might have viewed. Users found to have visited weather or movie listing websites were also checked against every valid Zip Code in the United States.

Just over 9 per cent of people who took the test exposed their five-digit Zip Code, which provides a close approximation of a user's physical location.

The results were based on 271,576 visitors who executed 703,895 tests from September 2009 through the following February. Of those users, 243,068 completed both a primary and secondary scans.

Many more details are available in a PDF of their report, which is here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.