History sniffing, one more online privacy issue

I have to admit I had never heard of history sniffing before reading this story. Makes me doubly glad I use Chrome for my browser.

From the link:

The Web surfing history saved in your Web browser can be accessed without your permission. JavaScript code deployed by real websites and online advertising providers use browser vulnerabilities to determine which sites you have and have not visited, according to new research from computer scientists at the University of California, San Diego.

The researchers documented JavaScript code secretly collecting browsing histories of Web users through “history sniffing” and sending that information across the network. While history sniffing and its potential implications for privacy violation have been discussed and demonstrated, the new work provides the first empirical analysis of history sniffing on the real Web.

“Nobody knew if anyone on the Internet was using history sniffing to get at users’ private browsing history. What we were able to show is that the answer is yes,” said UC San Diego computer science professor Hovav Shacham.
The computer scientists from the UC San Diego Jacobs School of Engineering presented this work in October at the 2010 ACM Conference on Computer and Communications Security (CCS 2010) in a paper entitled, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications”.

History Sniffing

History sniffing takes place without your knowledge or permission and relies on the fact that browsers display links to sites you’ve visited differently than ones you haven’t: by default, visited links are purple, unvisited links blue. History sniffing JavaScript code running on a Web page checks to see if your browser displays links to specific URLs as blue or purple.

History sniffing can be used by website owners to learn which competitor sites visitors have or have not been to. History sniffing can also be deployed by advertising companies looking to build user profiles, or by online criminals collecting information for future phishing attacks. Learning what banking site you visit, for example, suggests which fake banking page to serve up during a phishing attack aimed at collecting your bank account login information.

Readability

No, no the kind of readability that describes a well-turned phrase, but instead a JavaScript you put in your bookmarks (ideally a bookmark bar for ease of use) that turns a jumbled web page into a simple, clean interface to the main content on that site. You can even ratchet up the font size to make reading easier on the eyes if need be.

I use Readability regularly and heartily recommend this free online tool. Next time you’re faced with a page full of ads, menus, tables and who knows what else, you’ll be happy a clean, easy-to-read page is mere click of a bookmark away. Readability is an arc90 laboratory experiment.

From the link:

Readability™ is a simple tool that makes reading on the Web more enjoyable by removing the clutter around what you’re reading.

Try Catch It!

A simple and addictive game from Robert Eisele courtesy of Chrome Experiments. After a handful of tries my high score is 208.

Be on the lookout …

… for this new phishing attack. Sounds like it might catch the unwary.

From the link:

A vulnerability in major browsers recently discovered by Trusteer could make this trick much more dangerous, by allowing for “in-session phishing” and a more tailored attack. Using this new vulnerability, a phisher could detect, via the hacked site, when a user was already logged in to a banking website. The hacked site could then launch a pop-up warning the user that her session has timed out and asking her to reenter her login details. This approach would be less likely to raise a red flag, says Klein, since the pop-up does not appear completely out of the blue.

The core vulnerability discovered by the Israeli researchers is a Web browser flaw that lets the phisher see what other websites a person is visiting. Klein explains that a certain JavaScript function, commonly used by online retailers, financial institutions, and other sites, leaves a footprint revealing that the user is logged in to that site. Klein says that protections such as pop-up blockers wouldn’t necessarily derail the attack because the hacked site could itself be altered to seem like a request to log in again.