[HN Gopher] Retrieving your browsing history through a CAPTCHA
___________________________________________________________________
Retrieving your browsing history through a CAPTCHA
Author : varun_ch
Score : 360 points
Date : 2022-03-05 17:12 UTC (1 days ago)
(HTM) web link (varun.ch)
(TXT) w3m dump (varun.ch)
| jahirul247 wrote:
| rightbyte wrote:
| This is a terrible PI leak ...
|
| JS should really be disabled by default and only be enabled on
| sites that really need it and you somewhat trust.
| cabirum wrote:
| It does not require js to work. In essense, it uses css styles
| to exploit visited links.
| madacol wrote:
| I had to enable js for it to work in firefox
| zinekeller wrote:
| Also, lying the visited state on JS was implemented as early
| as Firefox 4 - so it is definitely not a JS-dependent
| "exploit" (rather, it's a rather oblique way of social
| engineering).
| PetahNZ wrote:
| But dont you need js to check for the styles to see if the
| link is visited?
| vgel wrote:
| No, each square the user clicks could be a checkbox that is
| submitted to the backend as a form when they click done.
| kevincox wrote:
| It could even just use CSS selectors to reveal an image
| or change a background image that results in a request to
| the backend.
| varun_ch wrote:
| Fortunately most browsers already have some measures to
| prevent that (https://developer.mozilla.org/en-
| US/docs/Web/CSS/Privacy_and...), the demo avoids
| automating the process altogether, and relies on tricking
| the visitor into 'voluntarily' telling if they've visited
| a site.
| kevincox wrote:
| I meant you can use CSS on the checkbox once it is
| checked, there is no need to actually submit a form. I
| understand that you can't use CSS directly on the
| :visited selector.
| varun_ch wrote:
| Ah I see, that makes sense.
| rightbyte wrote:
| You need js to extract the PI though?
| gowld wrote:
| JS _or_ user submitting a form -- some form of client
| interaction.
| leodriesch wrote:
| This one does not really need JS, the captcha could be done
| with an HTML form and checkboxes.
| sylware wrote:
| captchas which are not working with noscript/basic
| (x)html browsers are definitive no-no anyway.
| fam0r wrote:
| You can do requests to the site using pure CSS as well,
| using something like `.site:visited { background-image:
| url(/logging/site); }`
| unilynx wrote:
| those kind of tricks are already blocked by browsers, as
| the article explains
| xPaw wrote:
| I rarely see websites that actually make use of `:visited` style
| as intended, it would be good if browsers had an option to just
| disable it and prevent this class of leaks completely.
| ZeroGravitas wrote:
| The last sentence of the article claims you do have that
| option, but I can't find it?
|
| I can see an option to always overridde the color with my
| choice.
| varun_ch wrote:
| Looks like Firefox has it in their advanced settings under
| "layout.css.visited_links_enabled", but on Chrome (or other
| Chromium based browsers) you have to clear history regularly,
| or use incognito mode.
| kevincox wrote:
| The site we are on right now uses visited links in a different
| style (although annoyingly subtle). I find this feature
| incredibly valuable.
|
| I would've be opposed to a feature to disable it but I
| certainly wouldn't use it. I can imagine that Tor may want to
| enable it by default though.
|
| Edit: Apparently Firefox has this feature and Tor does use it.
| hk__2 wrote:
| > I rarely see websites that actually make use of `:visited`
| style as intended
|
| Some well-known websites do it, such as Google and Wikipedia.
| mmahemoff wrote:
| The only time I ever see a visited style link is when links
| aren't styled at all. It's anachronistic and the feature should
| probably be dropped altogether. If some users want to see it,
| it could be done with an extension that has history access (or
| a coarse-grained version of history). Then they'd be able to
| see it for all sites, not just the tiny fraction of sites that
| don't style links.
| shkkmo wrote:
| This is clearly not true as you are currently posting on a
| site that has styled links and also has lighter styled
| visited links.
| hackerfromthefu wrote:
| Counterpoint, plenty of sites I use properly show visited
| links, and it's a very useful feature!
| isomel wrote:
| Wikipedia for example
|
| Edit: oh, and Hackernews, too
| chrismorgan wrote:
| I like :visited. It's useful. I don't want browsers to disable
| it, but developers to stop clobbering and disabling it on their
| sites.
|
| Any site I make _will_ have sane blue underlined links and
| purple underlined visited links. I'm willing to vary the shades
| of blue and purple, and I prefer to reduce the opacity of the
| underline when not interacting with the link, but I say general
| links should be blue and purple and underlined, and anything
| else is troublemaking.
|
| (In https://github.com/w3c/csswg-drafts/issues/3012, there's
| talk of changing :visited to essentially work from the _site's_
| perspective--exposing only history that the site could have
| tracked itself--rather than for the _user_ as global
| visitedness does. This makes me sad, though I quite understand
| the perspective; to me, :visited has always been about the
| user, _even though_ such first-party link following is its
| primary use.)
| gowld wrote:
| The think you like is client link styling, not :visited
| attribute manipulated via CSS/JS.
| magicalist wrote:
| Not sure what you mean. Under that proposal :visited
| wouldn't be available for styling or scripting except for
| links the site could already know that you visited.
| [deleted]
| Jap2-0 wrote:
| I was wondering why this wasn't working for me. Looking through
| my settings in Firefox, I finally narrowed it down to Privacy and
| Security -> History. I have it set to "use custom settings"
| (clear history on exit, everything else unchecked), but
| presumably "never remember history" would also work.
| hoesephgerrible wrote:
| Pooge wrote:
| What is going on with those new accounts preaching against
| online privacy recently?
|
| Edit: For the lurkers trying to educate themselves, I recommend
| those resources:
|
| https://en.wikipedia.org/wiki/Nothing_to_hide_argument
|
| https://en.wikipedia.org/wiki/Citizenfour
|
| https://vimeo.com/nothingtohide
| AussieWog93 wrote:
| I don't think the new account was actually arguing against
| privacy (those words have basically become a strawman now);
| rather it was just a bit of dry humour.
| Pooge wrote:
| I just reread the comment and maybe you are right. I don't
| know if he edited the comment or if I misread when I wrote
| my reply, but I didn't see the word "goes". So I read "I
| believe the argument [...]".
| charcircuit wrote:
| >What is going on with those new accounts preaching against
| online privacy recently?
|
| From my experience (as I prefer freedom of information) if
| you are against privacy you tend to get downvoted. I think
| downvotes can lead to your account being rate limited which
| is annoying so it makes sense that people would want to use
| another account.
| ivan90210 wrote:
| yodon wrote:
| Perhaps you're spotting recent reddit transplants who don't
| yet get HN's unique dislike of sarcasm and shallowly
| dismissive jokes?
| throwawayHN378 wrote:
| Cool but this has been around since forever
| [deleted]
| mistersquid wrote:
| On macOS Monterey 12.2.1 - Fails on Safari 15.3
| - Works on Google Chrome 99.0.4844.51
| ck2 wrote:
| The answer to having both visited styles and not security
| violations is to allow a domain to only style links that are
| local to that domain and not others.
|
| They already do that with referers, there is a security level to
| only let the site see referers that are local to its domain. I
| think this is the default for https
| orliesaurus wrote:
| I remember seeing the same concept applied to something else and
| a demo here on HN many years ago. This implementation however is
| novel, and feels more 'exploitable'. Good idea/nice find!
| huhtenberg wrote:
| Sly and clever, but the demo's not working.
|
| That's all I see - https://i.imgur.com/zl1iv6O.png
|
| Recent Firefox + uBlock.
| varun_ch wrote:
| Do you have JavaScript disabled?
| huhtenberg wrote:
| No, not blocked. Nothing on the console too except that the
| loading of "plausible.js" was blocked.
|
| PS. Played with it a bit and .box divs are zero-height. You
| need to have some content in <a> tags for them to not
| collapse vertically. This fixes it (somewhat) -
| document.querySelectorAll('.box a').forEach(e => e.innerHTML
| = ' ')
|
| PPS. Also this .box rule is marked with "invalid property
| name" - aspect-ratio: 1/1
| varun_ch wrote:
| Thanks. I can't reproduce the issue on Chrome or Firefox
| (98), but I've just pushed an update that changes "aspect-
| ratio: 1/1", to "aspect-ratio: 1 / 1". Perhaps I needed
| those spaces.
|
| Let me know if that solves it. :)
|
| Edit: Looks like Firefox only got support for aspect-ratio
| in version 89, is your browser up to date?
| jfkimmes wrote:
| I believe this is not a new concept. However, I applaud the
| accessibility, style and implementation of the proof-of-concept,
| given that the author seems to be only 15!
|
| Also sidenote: I like the creative and subtle plug for the
| author's 'Quickz' project (seems to be a Kahoot alternative - I
| have never heard of either) in the "not visited category".
|
| Keep up the good work!
| varun_ch wrote:
| Thank you! :)
| pabs3 wrote:
| For Firefox at least, toggling layout.css.visited_links_enabled
| should fix this.
|
| An earlier article about the visited CSS issue:
|
| https://dbaron.org/mozilla/visited-privacy
| Aachen wrote:
| Oh nice, I always have trouble making realistic clickjaking
| demos. This is just perfect. Previously I put stuff like a play
| button on a funny video, and for a second click the skip button
| on an ad. This stuff is golden, you can get a nearly infinite
| amount of clicks out of it.
| Anunayj wrote:
| Are there any extensions that protect from this?
| shusaku wrote:
| Basically the only defense is an extension that prevents
| styling for a visited link. But on the plus side to use this
| exploit you either need to be very specific about what sites
| you check or have the user clicking lots of links...
| lozenge wrote:
| Tor Browser is not vulnerable.
|
| I don't think you can defend against this by adding CSS rules,
| only removing them. Extensions would need to parse the entire
| CSS of a website and replace it, which would be cumbersome.
| Hnrobert42 wrote:
| I use Firefox Focus. It deletes your history each time you
| close the app. I find I never need my history, so I'm happy to
| have it deleted regularly. Others seem to use their history and
| tabs, so YMMV.
| jahirul247 wrote:
___________________________________________________________________
(page generated 2022-03-06 23:01 UTC)