[kwlug-disc] DuckDuckGo.com -- an alternate search engine

Eric Gerlach eric+kwlug at gerlach.ca
Thu Jul 29 18:08:51 EDT 2010


Excerpts from Johnny Ferguson's message of Thu Jul 29 16:36:34 -0400 2010:
> On 07/28/2010 11:12 AM, Fernando Duran wrote:
> >
> >
> > ----- Original Message ----
> >> From: Eric Gerlach<eric+kwlug at gerlach.ca>
> > ...
> >>
> >> Attack #1: Using existing logins
> >>
> >> - You're logged into  a site you care about (let's say your bank, or
> >>    launchpad)
> >> -  Malicious Javascript looks through your history (yes, it can do this)
> >>     to find recently visited sites that it knows about
> >
> >
> > Just tooting my own horn: detecting browser's history is very easy to do, we
> > implemented it in http://watsec.com/myip
> >
> 
> How is this accomplished? I'm rather disgusted that enabling js can let 
> people know who my bank is.

It creates invisible links to each site with special CSS set on them,
then checks to see what colour the browser has rendered them.  If it
renders them in the "visited" colour, then you've been there recently.

Cheers,

Eric




More information about the kwlug-disc mailing list