[kwlug-disc] DuckDuckGo.com -- an alternate search engine
Johnny Ferguson
hyperflexed at gmail.com
Thu Jul 29 18:12:53 EDT 2010
On 07/29/2010 06:08 PM, Eric Gerlach wrote:
> Excerpts from Johnny Ferguson's message of Thu Jul 29 16:36:34 -0400 2010:
>> On 07/28/2010 11:12 AM, Fernando Duran wrote:
>>>
>>>
>>> ----- Original Message ----
>>>> From: Eric Gerlach<eric+kwlug at gerlach.ca>
>>> ...
>>>>
>>>> Attack #1: Using existing logins
>>>>
>>>> - You're logged into a site you care about (let's say your bank, or
>>>> launchpad)
>>>> - Malicious Javascript looks through your history (yes, it can do this)
>>>> to find recently visited sites that it knows about
>>>
>>>
>>> Just tooting my own horn: detecting browser's history is very easy to do, we
>>> implemented it in http://watsec.com/myip
>>>
>>
>> How is this accomplished? I'm rather disgusted that enabling js can let
>> people know who my bank is.
>
> It creates invisible links to each site with special CSS set on them,
> then checks to see what colour the browser has rendered them. If it
> renders them in the "visited" colour, then you've been there recently.
>
You have to give people credit for coming up with that. So then I guess
this would limit a potential cracker to the sites they choose to check
you for.
See, I hated js for accessibility reasons, I didn't realize it could be
exploited in this way. I'll be tightening up noscript.
> Cheers,
>
> Eric
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
More information about the kwlug-disc
mailing list