Professional Documents
Culture Documents
Using computer code to track which Web sites computer users have visited.
A University of California-San Diego study has found that browser vulnerabilities can be exploited in
order to access your Web surfing history, Chloe Albanesius reported on PC Mag:
JavaScript code used by Web sites and advertisers exploit browser vulnerabilities to track which sites
a user has or has not visited, the report said. Researchers have dubbed the practice “history sniffing,”
and they claim their work is the first empirical analysis of history sniffing across the Web.
“Nobody knew if anyone on the Internet was using history sniffing to get at users’ private browsing
history. What we were able to show is that the answer is yes,” UC San Diego computer science
professor Hovav Shacham said in a statement.
History sniffing is possible because browsers display links to sites you’ve visited differently from those
you have not. If you’ve clicked on a link, it shows up purple. If you have not clicked, it displays as blue.
According to Albanesius, information collected via history sniffing could be used by organisations to
track visits to competitor’s sites, by advertisers to help construct detailed user profiles, and by
criminals to launch increasingly realistic phishing attacks.
On the heels of a government report pushing a "do not track" option for Web browsers, a recent study
from the University of California-San Diego finds that browser vulnerabilities can allow access to your
Web-surfing history.
Researchers cautioned, however, that the practice is not as harmful as malicious software attacks like
malware.
JavaScript code used by Web sites and advertisers exploit browser vulnerabilities to track which sites
a user has or has not visited, the report said. Researchers have dubbed the practice "history sniffing,"
and they claim their work is the first empirical analysis of history sniffing across the Web.
"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing
history. What we were able to show is that the answer is yes," UC San Diego computer science
professor Hovav Shacham said in a statement.
History sniffing is possible because browsers display links to sites you've visited differently from those
you have not. If you've clicked on a link, it shows up purple. If you have not clicked, it displays as blue.
"History sniffing JavaScript code running on a Web page checks to see if your browser displays links to
specific URLs as blue or purple," the report said.
Why is this important? Researchers said that Web site owners can use this information to see if you
have been visiting the Web sites of their competitors. Advertising companies can also used the data to
build user profiles, while criminals could watch which banking sites you use to know which fake
banking site they should use for a phishing attack.
"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0
applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know
that history sniffing is possible, it actually happens out there, and that there are a lot of people
vulnerable to this attack," said Sorin Lerner, a computer science professor with the university's Jacobs
School of Engineering.
The report found that the latest versions of Firefox, Chrome, and Safari block history-sniffing attacks.
Internet Explorer, however, does not currently defend against history sniffing. November data from
Net Applications found that IE still holds 58.26 percent of the global browser market share.
A Microsoft spokeswoman said the company takes "a holistic approach to protecting consumer
privacy." That includes browser options like InPrivate Browsing, which lets customers surf without
having their activity tracked.
"Internet Explorer 8's InPrivate Browsing feature puts people in control of their privacy, giving them
the important features and controls to understand what information is being shared when they browse
the Web," Microsoft said.
To gather their data, researchers used their JavaScript monitoring tool to look at the top 50,000 Web
sites, as ranked by Alexa. The practice is not particularly widespread, at least. Of the 50,000 sites,
they found that 485 of those sites can monitor a browser's history. Of those 485 sites, 63 of them
transferred the browser history to the network; researchers only considered it history sniffing if that
data was sent to the network. The topics of these 63 sites were varied, though most focused on
entertainment. A complete list is included in the report.
To gather their data, researchers tagged – or "painted" – a link that was being tracked, akin to the
paint packets banks add to bags of stolen money.
"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that. Some
sites collected that information but never sent it over the network, so there was all this 'paint' inside
the browser. But in other cases, we observed 'paint' being sent over the network, indicating that
history sniffing is going on," Lerner said.
Going forward, the researchers said they would use this technique to see if history sniffing is also used
by Web 2.0 applications and social-network sites.
Shacham said that while history sniffing might be invasive, it is not as great a risk to your privacy as
malicious software programs like malware, which can steal banking information or an entire Facebook
profile. Still, "history sniffing is unusual in effectively allowing any site you visit to learn about your
browsing habits on any other site, regardless if the two sites have any business relationship," he said.
He advised users to keep their browsers and Flash plug-ins up-to-date to avoid history sniffing.
The report comes several days after the Federal Trade Commission released an online privacy report
that recommended "do not track" technology for browsers. Essentially, browser companies should add
the ability for consumers to opt-out of having their Web activity tracked, the agency said. The FTC
discussed it more at a House hearing last week, where a researcher from Symantec expressed his
concern about "do not track" technology. Major browser firms like Microsoft, Google, and Mozilla have
said they will review the FTC's proposal.
While we’ll need more time to digest and evaluate the details, we’re encouraged by what we’ve seen so far. In
particular, the FTC has proposed a set of principles that align well with the Mozilla manifesto and our approach to
software development including:
privacy by design;
transparency;
user choice; and
no surprises.
Of course the devil is often in the details, but the first principles seem right. The FTC should also be commended for
continuing its efforts to seek a comprehensive proposal rather than focusing only on one aspect of the issue.
The Commission has also shown that it understands the complexity and nuance of many of the issues, for example,
the blending distinction between PII and non-PII, and the contextual nature of privacy issues. To that end, the
Commission has articulated a robust set of questions on which it is seeking further public feedback. Comments on the
proposal are due on January 13, 2011.
Over the next month, we’ll examine the questions and proposal in more detail and take advantage of this opportunity
to share our experience, concerns, and views on the proposed framework.