Your Web Surfing History Is Accessible (Without Your Permission) Via JavaScript

This might not be news to some of you but for me it definitely is, didn't know the capabilities of Java scripting go this far as to potentially violating privacy laws and that since quite a while already:

The Web surfing history saved in your Web browser can be accessed without your permission. JavaScript code deployed by real websites and online advertising providers use browser vulnerabilities to determine which sites you have and have not visited, according to new research from computer scientists at the University of California, San Diego.

"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack," said UC San Diego computer science professor Sorin Lerner.

The researchers documented JavaScript code secretly collecting browsing histories of Web users through "history sniffing" and sending that information across the network. While history sniffing and its potential implications for privacy violation have been discussed and demonstrated, the new work provides the first empirical analysis of history sniffing on the real Web.

ScienceDaily

The study is entitled "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications" from the UC San Diego Jacobs School of Engineering which can be found here:
Link to PDF

The computer scientists looked for history sniffing on the front pages of the top 50,000 websites, according to Alexa global website rankings. They found that 485 of the top 50,000 sites inspect style properties that can be used to infer the browser's history. Out of 485 sites, 63 transferred the browser's history to the network. "We confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100," the UC San Diego computer scientists write in the CCS 2010 paper.

A risk to privacy?
Your thoughts?

I think the only thing they can use this info for is to try and show more ads that target what youve been browsing.

Personally I don't remember when I last clicked on an "ad" on the internet.

Maybe it was like 2001.

Just don't click em

reply to post by Clairaudience


The scary thing is Java isnt the only script type that can access these things....

Originally posted by RaymaNcouldbe
I think the only thing they can use this info for is to try and show more ads that target what youve been browsing.

Personally I don't remember when I last clicked on an "ad" on the internet.

Maybe it was like 2001.

Just don't click em

The use of "history sniffing" and "behaviour sniffing" is not limited to advertisement companies:

[atsimg]http://files.abovetopsecret.com/images/member/5958c33daa82.jpg[/atsimg]

You think Java alone is scary... wait til you find out what ActiveX can do.

If you see the little Java symbol pop up in your system tray, and you aren't running a web app that asked your permission to run it, close all applications that you don't know are needed immediately using the task manager, especially your browser.

The worst virus I've ever had came from a simple advertisement from pirate bay(don't judge me). All I did was search for a torrent, and before the search page was done loading, an ad took over the page and started up Java ActiveX. In a matter of 30 seconds, my desktop was full of shortcuts to porn sites and I couldn't even bring up the task manager. A "windows update" notification also kept popping up saying i had updates ready to install, even though I have windows update disabled. I had to do a fresh install of windows, all for simply visiting one of the nets most popular sites, not even downloading anything willingly.

I'm saying this to clear up the misconception that viruses have to be installed through exe files. That is certainly not the case. You don't have to do a damn thing to get a nasty virus, just be at the wrong site at the wrong time with the wrong advertisement displayed.

BTW the privacy issues OP is worried about can be compromised simply through cookies. And every website, including this one keeps track of your browsing history through cookies for advertisement purposes.

Somehow this knowledge has not spread widely in the mainstream - I myself didn't quite realise how easy it was to do just this until about a year ago, even though I've worked with Javascript on a regular basis for a decade. It's the type of vulnerability that has always been available, but only visible to those looking for it. There is little use for these methods apart from snatching another person's history. Perhaps though, there are a lot of motives to do so.

Vulnerabilities like this one don't exploit bugs, but instead the indirect access that Javascript gets to your browser. Javascript needs access to various things; limiting access so that Javascript is still useful while preventing any abuse often requires a rewrite of substantial parts. Sometimes it's impossible to retain functionality when improving security. Many vulnerabilities have been fixed in the past, but browser development remains a work in progress.

One problem that probably cannot be solved is that injected malicious code could read whatever is in your cookie of the trusted site/domain running the code, and transfer the content by use of Javascript's ability to make HTTP connections without affecting the page it's running on. Many sites store account information such as username and a hashed password in their cookies; though it depends on the hashing algorithm and the password itself, the attacker could have your plain-text password in mere seconds.

These are by far not the only security problems with Javascript, and many sites include a heap of third-party Javascript code (hosted externally). In effect, the probability of someone executing code you don't need nor want in your own browser is reasonably high. They may not be sniffing your history, but how do you feel about "event tracking": code tracking every single mouse movement - every click or scroll - and sending the relevant data immediately to a traffic analyser? Often such code is meant to help the site owners developer the site through proper analysis, but it's simply too invasive when it starts affecting browser performance noticeably. Apart from good intentions, third parties sometimes get hacked to inject malicious code on all the sites that were using it - and some third parties never had good intentions to begin with.

All in all, the default behaviour of browsers to blindly accept all Javascript code is insecure. If you only stick to trustworthy sites, and if they do not allow for Javascript injection on any of the site's own pages, and if the site only includes trustworthy code of third parties, and if those third parties never get compromised - then it is safe to run all Javascript code. However, if you like to roam the internet freely, the default settings just open the window for anyone to run their code in your browser. Javascript itself is not that potent - it can't write or read files on your system, for example - but the "little things" like browser performance, safety of accounts and privacy of browser history should be enough to be more cautious than browsers tend to be by default.

Luckily there are various ways to deal with this. Some people just turn off Javascript completely, but more and more sites depend on Javascript to be functional. A more popular approach is to use Firefox in combination with the NoScript extension.
NoScript protects against a number of known Javascript vulnerabilities, and has a number of settings with which you can configure in detail what you want to allow. By default, it allows only the top-level site - the domain you're visiting - to run it's code; all code gets separated by domain, and you can choose which to allow by clicking the NoScript icon. Once you allow a domain, it's code is allowed to run on all the sites using it - for example, if you allow all of facebook's domains, facebook should just work from then on.
The drawback of this approach is that 'mash-up' sites using code from 'smaller' domains will break pretty much completely. You can temporarily allow all domains for that page, but that defeats the whole purpose of using NoScript; manually allowing the right hosts would be better, but is time-consuming. Overall however, you'll notice a boost in performance when the browser doesn't have to run all the extra code anymore - and, you'll be a lot safer.
If you intend to roam the 'darker corners' of the interwebs as well, or if you just want to be really secure, you may want to disable the default NoScript setting to allow top-level domains. This will require you to manually allow the top-level domain every time you visit a new site, but therefore restricts all code unless you specifically tell it to trust it.

Whoops, didn't mean to turn this into a rant (even though I should've expected it to happen, I always rant :p) .. but I hope it's of use to someone.

Java is full of vulnerability. If you ever have the orange symbol, it means you need an update. Do it immediately.

For now, a good protection is to run a Linux build. I can get NoScript to run pretty well on my Ubuntu 10.04

If you want Windoze, make sure you get Firefox with NoScript. You can also add in all the other junk, like Abine or TACO. But NoScript is a "must have".

Adblock
noscript
Ghostery

I few useful additions for firefox.

reply to post by scraze


Not a rant at all, your post is much appreciated and did clear some things up for me and surely others too. Thank you for your contribution!