Hi malware fighters,
Sniffing Browser History with NO Javascript, slow but can be performed, no sweat, a privacy hole!
How this privacy-leakage is performed is rather very simple. The only thing a website needs to do is loading a hidden iframe with many, many links. Whenever a link has been visited before, a background pre-defined inside the CSS is loaded. This “background” will log the information and will save it accordingly. This page shows the attack as it evolves: http://www.making-the-web.com/misc/sites-you-visit/nojs/
But it can also be done on a “normal” page using view-state.
Edit:webdeveloper does not offer a possibility to globally set n overruling css, the Firefox plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make up the following (global) style:
Select all
a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
}
O.K. that will work, but there is yet another way to block this with an extension, named: RefControl. There you can set globally and on a per site basis what the referring header should be. This could be for instance enforce root of the site (block third party- etc.), so for example htxp://www.asIlike_tosee it. com/ and it that will hamper functionality sometimes the real referrer.
There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore, so there are more ways to get the required result, block sniffing browser history in this way,
It is a pity that we have to be educated about all the possibilities (like some here on the forums) to be protected against these issues, that’s why I bring it to your attention,
polonus