Welcome, Unregistered.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
Old 12-Dec-2010, 21:58   #1
draconian
Member
 
Join Date: Jun 2005
Posts: 162
Default YouPorn, Perez Hilton Exploit Bug To Obtain Your Browsing History ...

http://www.huffingtonpost.com/2010/1..._n_791479.html

Here is the link to the pdf.
http://cseweb.ucsd.edu/users/lerner/.../ccs10-jsc.pdf

Apparently, these sites exploit the history visited color via DOM of webpages. So, when you visit their website, they have hidden links to sites such as nytimes, facebook, etc...and then via javascript determine the color and thus if you've visited them or not.
draconian is offline   Reply With Quote
Old 13-Dec-2010, 19:35   #2
John Reynolds
Ecce homo
 
Join Date: Feb 2002
Location: Westeros
Posts: 4,345
Send a message via MSN to John Reynolds
Default

Anyone who surfs Perez Hilton's site deserves whatever happens.
__________________
Voodoo 1 Voodoo 2 SLI Voodoo 3 3000 Voodoo 5 GeForce 3 Ti200 GeForce 4 Ti4400 Radeon 9700 Pro Radeon 9800 Pro GeForce 6800 GT Radeon X1800 XT Radeon X1900 XT Radeon X1950 XTX GeForce 8800 GTX Radeon HD 4870 GeForce GTX 285 Radeon 5870 Geforce GTX 470 Geforce GTX 570 Geforce GTX 670 GeForce GTX 770
John Reynolds is offline   Reply With Quote
Old 13-Dec-2010, 19:40   #3
rpg.314
Senior Member
 
Join Date: Jul 2008
Location: /
Posts: 4,274
Send a message via Skype™ to rpg.314
Default

If this technique works (and apparently it does), what is there to prevent other sites from using it?

How can one prevent sites - even those more reputable than Perez Hilton - from sniffing your history?
rpg.314 is offline   Reply With Quote
Old 13-Dec-2010, 20:26   #4
AlphaWolf
Specious Misanthrope
 
Join Date: May 2003
Location: Treading Water
Posts: 8,143
Default

Quote:
Originally Posted by rpg.314 View Post
If this technique works (and apparently it does), what is there to prevent other sites from using it?

How can one prevent sites - even those more reputable than Perez Hilton - from sniffing your history?
purge your history (disable it in browser), block the ads, don't accept cookies, run no script.
AlphaWolf is offline   Reply With Quote
Old 13-Dec-2010, 20:29   #5
Mize
That's my stapler
 
Join Date: Feb 2002
Location: "Midwest," USA
Posts: 4,136
Default

Why on earth is the browser sending the color of the link to the remote server?
Sounds like a pretty obvious exploit than needs to be plugged. Do all browsers send this info?

...oh and the fact that "Youporn" is a malware site...uh duh?
__________________
"Yes windows 3.1 was better than the macOS of the day. All the Windows OS's have been better."
- eastmen
Mize is offline   Reply With Quote
Old 13-Dec-2010, 20:30   #6
Mize
That's my stapler
 
Join Date: Feb 2002
Location: "Midwest," USA
Posts: 4,136
Default

Noscript seconded here. Great plugin.
__________________
"Yes windows 3.1 was better than the macOS of the day. All the Windows OS's have been better."
- eastmen
Mize is offline   Reply With Quote
Old 13-Dec-2010, 21:31   #7
Zaphod
Remember
 
Join Date: Aug 2003
Posts: 2,116
Default

Quote:
Originally Posted by draconian View Post
Actually, they don't say Perez Hilton tracks your browser history. They say his site tracks what's copied off it.

Under the same subheading, dealing with attention tracking, the source article also states the following:
Quote:
Suspicious website: While investigating several sites that installed event handlers, we also found that the huffingtonpost.com site exhibits suspicious behavior. [...]
Whoops.
Zaphod is offline   Reply With Quote
Old 13-Dec-2010, 21:51   #8
Albuquerque
Red-headed step child
 
Join Date: Jun 2004
Location: Guess ;)
Posts: 3,298
Default

Any sites that I'm unsure about get the "right-click, open in Incognito Window" treatment. No history, no cache, and their own sandbox.
__________________
"...twisting my words"
Quote:
Originally Posted by _xxx_ 1/25 View Post
Get some supplies <...> Within the next couple of months, you'll need it.
Quote:
Originally Posted by _xxx_ 6/9 View Post
And riots are about to begin too.
Quote:
Originally Posted by _xxx_8/5 View Post
food shortages and huge price jumps I predicted recently are becoming very real now.
Quote:
Originally Posted by _xxx_ View Post
If it turns out I was wrong, I'll admit being stupid
Albuquerque is offline   Reply With Quote
Old 13-Dec-2010, 22:11   #9
Mize
That's my stapler
 
Join Date: Feb 2002
Location: "Midwest," USA
Posts: 4,136
Default

Quote:
Originally Posted by Albuquerque View Post
Any sites that I'm unsure about get the "right-click, open in Incognito Window" treatment. No history, no cache, and their own sandbox.
Is that IE? I never use it of late...mainly since most of my browsing is on linux or os x machines, but I'm browsing more and more on my gaming rig...hmmm

nvm...chrome...good feature.
__________________
"Yes windows 3.1 was better than the macOS of the day. All the Windows OS's have been better."
- eastmen
Mize is offline   Reply With Quote
Old 13-Dec-2010, 23:11   #10
Albuquerque
Red-headed step child
 
Join Date: Jun 2004
Location: Guess ;)
Posts: 3,298
Default

Quote:
Originally Posted by Mize View Post
nvm...chrome...good feature.
Yes indeed I haven't touched IE directly in probably a year, ever since someone made an "IE Tab" Chrome extension that allows for IE-only sites (such as our corporate sharepoint) to open an IE tab within Chrome.
__________________
"...twisting my words"
Quote:
Originally Posted by _xxx_ 1/25 View Post
Get some supplies <...> Within the next couple of months, you'll need it.
Quote:
Originally Posted by _xxx_ 6/9 View Post
And riots are about to begin too.
Quote:
Originally Posted by _xxx_8/5 View Post
food shortages and huge price jumps I predicted recently are becoming very real now.
Quote:
Originally Posted by _xxx_ View Post
If it turns out I was wrong, I'll admit being stupid
Albuquerque is offline   Reply With Quote
Old 13-Dec-2010, 23:11   #11
Sxotty
Senior Member
 
Join Date: Dec 2002
Location: Under a Crushing Burden
Posts: 4,357
Default

Quote:
Originally Posted by Mize View Post
Is that IE? I never use it of late...mainly since most of my browsing is on linux or os x machines, but I'm browsing more and more on my gaming rig...hmmm

nvm...chrome...good feature.
They all have something like that now, but chromes is better b/c you don't have to close/reopen and so forth.
__________________
You bought horse armor didn't you?
Sxotty is offline   Reply With Quote
Old 13-Dec-2010, 23:13   #12
Mize
That's my stapler
 
Join Date: Feb 2002
Location: "Midwest," USA
Posts: 4,136
Default

Quote:
Originally Posted by Sxotty View Post
They all have something like that now, but chromes is better b/c you don't have to close/reopen and so forth.
Yeah, knew that but right-click to private browsing is cool.
I tend to split time between FF and Chrome...
__________________
"Yes windows 3.1 was better than the macOS of the day. All the Windows OS's have been better."
- eastmen
Mize is offline   Reply With Quote
Old 14-Dec-2010, 02:55   #13
Silent_Buddha
Regular
 
Join Date: Mar 2007
Posts: 10,491
Default

I just have a seperate InPrivate browsing window open and drag links to it if I don't need history, cookies, etc.

Stopped using FF sometime after IE7 came out. Can't stand Chrome's UI.

Although IE9's UI is making me seriously consider trying FF again maybe. At least it appears they still have a seperate search field and didn't merge it with the address bar like the incompetent IE UI designer did.

Regards,
SB
Silent_Buddha is offline   Reply With Quote
Old 14-Dec-2010, 04:09   #14
AlphaWolf
Specious Misanthrope
 
Join Date: May 2003
Location: Treading Water
Posts: 8,143
Default

Quote:
Originally Posted by Silent_Buddha View Post
At least it appears they still have a seperate search field and didn't merge it with the address bar like the incompetent IE UI designer did.
Can search in either field in FF.

Last edited by AlphaWolf; 14-Dec-2010 at 04:31. Reason: goofed the quote
AlphaWolf is offline   Reply With Quote
Old 14-Dec-2010, 04:26   #15
3dcgi
Senior Member
 
Join Date: Feb 2002
Posts: 2,231
Default

This technique isn't new and there are non-nefarious reasons to use it. I thought about using it for a project, but never got around to it. Here's an article where I read about it in 2008.
http://www.niallkennedy.com/blog/200...ory-sniff.html
3dcgi is offline   Reply With Quote

Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 12:18.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.