Retrieving your browsing history through a CAPTCHA(varun.ch)
varun.ch
Retrieving your browsing history through a CAPTCHA
https://varun.ch/history
62 comments
I rarely see websites that actually make use of `:visited` style as intended, it would be good if browsers had an option to just disable it and prevent this class of leaks completely.
I like :visited. It’s useful. I don’t want browsers to disable it, but developers to stop clobbering and disabling it on their sites.
Any site I make will have sane blue underlined links and purple underlined visited links. I’m willing to vary the shades of blue and purple, and I prefer to reduce the opacity of the underline when not interacting with the link, but I say general links should be blue and purple and underlined, and anything else is troublemaking.
(In https://github.com/w3c/csswg-drafts/issues/3012, there’s talk of changing :visited to essentially work from the site’s perspective—exposing only history that the site could have tracked itself—rather than for the user as global visitedness does. This makes me sad, though I quite understand the perspective; to me, :visited has always been about the user, even though such first-party link following is its primary use.)
Any site I make will have sane blue underlined links and purple underlined visited links. I’m willing to vary the shades of blue and purple, and I prefer to reduce the opacity of the underline when not interacting with the link, but I say general links should be blue and purple and underlined, and anything else is troublemaking.
(In https://github.com/w3c/csswg-drafts/issues/3012, there’s talk of changing :visited to essentially work from the site’s perspective—exposing only history that the site could have tracked itself—rather than for the user as global visitedness does. This makes me sad, though I quite understand the perspective; to me, :visited has always been about the user, even though such first-party link following is its primary use.)
The think you like is client link styling, not :visited attribute manipulated via CSS/JS.
Not sure what you mean. Under that proposal :visited wouldn't be available for styling or scripting except for links the site could already know that you visited.
The site we are on right now uses visited links in a different style (although annoyingly subtle). I find this feature incredibly valuable.
I would've be opposed to a feature to disable it but I certainly wouldn't use it. I can imagine that Tor may want to enable it by default though.
Edit: Apparently Firefox has this feature and Tor does use it.
I would've be opposed to a feature to disable it but I certainly wouldn't use it. I can imagine that Tor may want to enable it by default though.
Edit: Apparently Firefox has this feature and Tor does use it.
> I rarely see websites that actually make use of `:visited` style as intended
Some well-known websites do it, such as Google and Wikipedia.
Some well-known websites do it, such as Google and Wikipedia.
The only time I ever see a visited style link is when links aren't styled at all. It's anachronistic and the feature should probably be dropped altogether. If some users want to see it, it could be done with an extension that has history access (or a coarse-grained version of history). Then they'd be able to see it for all sites, not just the tiny fraction of sites that don't style links.
Counterpoint, plenty of sites I use properly show visited links, and it's a very useful feature!
Maybe I don't notice it enough, but I suspect the vast majority of those are only doing it because they haven't changed the style.
I find it useful too, but since most sites don't actually show it, I'd rather just use an extension that always shows it.
I find it useful too, but since most sites don't actually show it, I'd rather just use an extension that always shows it.
Wikipedia for example
Edit: oh, and Hackernews, too
Edit: oh, and Hackernews, too
The last sentence of the article claims you do have that option, but I can't find it?
I can see an option to always overridde the color with my choice.
I can see an option to always overridde the color with my choice.
Looks like Firefox has it in their advanced settings under "layout.css.visited_links_enabled", but on Chrome (or other Chromium based browsers) you have to clear history regularly, or use incognito mode.
For Firefox at least, toggling layout.css.visited_links_enabled should fix this.
An earlier article about the visited CSS issue:
https://dbaron.org/mozilla/visited-privacy
An earlier article about the visited CSS issue:
https://dbaron.org/mozilla/visited-privacy
The answer to having both visited styles and not security violations is to allow a domain to only style links that are local to that domain and not others.
They already do that with referers, there is a security level to only let the site see referers that are local to its domain. I think this is the default for https
They already do that with referers, there is a security level to only let the site see referers that are local to its domain. I think this is the default for https
Couldn't you reimplement cross-site cookies with that?
I was wondering why this wasn't working for me. Looking through my settings in Firefox, I finally narrowed it down to Privacy and Security -> History. I have it set to "use custom settings" (clear history on exit, everything else unchecked), but presumably "never remember history" would also work.
Oh nice, I always have trouble making realistic clickjaking demos. This is just perfect. Previously I put stuff like a play button on a funny video, and for a second click the skip button on an ad. This stuff is golden, you can get a nearly infinite amount of clicks out of it.
On macOS Monterey 12.2.1
- Fails on Safari 15.3
- Works on Google Chrome 99.0.4844.51[deleted]
I remember seeing the same concept applied to something else and a demo here on HN many years ago. This implementation however is novel, and feels more 'exploitable'. Good idea/nice find!
Sly and clever, but the demo's not working.
That's all I see - https://i.imgur.com/zl1iv6O.png
Recent Firefox + uBlock.
That's all I see - https://i.imgur.com/zl1iv6O.png
Recent Firefox + uBlock.
Do you have JavaScript disabled?
No, not blocked. Nothing on the console too except that the loading of "plausible.js" was blocked.
PS. Played with it a bit and .box divs are zero-height. You need to have some content in <a> tags for them to not collapse vertically. This fixes it (somewhat) -
PS. Played with it a bit and .box divs are zero-height. You need to have some content in <a> tags for them to not collapse vertically. This fixes it (somewhat) -
document.querySelectorAll('.box a').forEach(e => e.innerHTML = ' ')
PPS. Also this .box rule is marked with "invalid property name" - aspect-ratio: 1/1Thanks. I can't reproduce the issue on Chrome or Firefox (98), but I've just pushed an update that changes "aspect-ratio: 1/1", to "aspect-ratio: 1 / 1". Perhaps I needed those spaces.
Let me know if that solves it. :)
Edit: Looks like Firefox only got support for aspect-ratio in version 89, is your browser up to date?
Let me know if that solves it. :)
Edit: Looks like Firefox only got support for aspect-ratio in version 89, is your browser up to date?
I am on 88 and planning to stay on it for a while. Mozilla got way off track recently with their pointless UI changes and, more troubling, business "collaborations", so a conservative approach to updating is well-warranted.
[deleted]
Doesn't work on Firefox iOS, even with enhanced tracking protection disabled. It only shows this single domain varun.ch.
It does work on Firefox desktop.
It does work on Firefox desktop.
Are there any extensions that protect from this?
Basically the only defense is an extension that prevents styling for a visited link. But on the plus side to use this exploit you either need to be very specific about what sites you check or have the user clicking lots of links…
I use Firefox Focus. It deletes your history each time you close the app. I find I never need my history, so I’m happy to have it deleted regularly. Others seem to use their history and tabs, so YMMV.
Tor Browser is not vulnerable.
I don't think you can defend against this by adding CSS rules, only removing them. Extensions would need to parse the entire CSS of a website and replace it, which would be cumbersome.
I don't think you can defend against this by adding CSS rules, only removing them. Extensions would need to parse the entire CSS of a website and replace it, which would be cumbersome.
Cool but this has been around since forever
This is a terrible PI leak ...
JS should really be disabled by default and only be enabled on sites that really need it and you somewhat trust.
JS should really be disabled by default and only be enabled on sites that really need it and you somewhat trust.
It does not require js to work. In essense, it uses css styles to exploit visited links.
I had to enable js for it to work in firefox
Also, lying the visited state on JS was implemented as early as Firefox 4 - so it is definitely not a JS-dependent "exploit" (rather, it's a rather oblique way of social engineering).
But dont you need js to check for the styles to see if the link is visited?
No, each square the user clicks could be a checkbox that is submitted to the backend as a form when they click done.
It could even just use CSS selectors to reveal an image or change a background image that results in a request to the backend.
Fortunately most browsers already have some measures to prevent that (https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and...), the demo avoids automating the process altogether, and relies on tricking the visitor into 'voluntarily' telling if they've visited a site.
You need js to extract the PI though?
JS or user submitting a form -- some form of client interaction.
This one does not really need JS, the captcha could be done with an HTML form and checkboxes.
captchas which are not working with noscript/basic (x)html browsers are definitive no-no anyway.
Also sidenote: I like the creative and subtle plug for the author's 'Quickz' project (seems to be a Kahoot alternative - I have never heard of either) in the "not visited category".
Keep up the good work!