[kwlug-disc] DuckDuckGo.com -- an alternate search engine

Johnny Ferguson hyperflexed at gmail.com
Thu Jul 29 18:12:53 EDT 2010


On 07/29/2010 06:08 PM, Eric Gerlach wrote:
> Excerpts from Johnny Ferguson's message of Thu Jul 29 16:36:34 -0400 2010:
>> On 07/28/2010 11:12 AM, Fernando Duran wrote:
>>>
>>>
>>> ----- Original Message ----
>>>> From: Eric Gerlach<eric+kwlug at gerlach.ca>
>>> ...
>>>>
>>>> Attack #1: Using existing logins
>>>>
>>>> - You're logged into  a site you care about (let's say your bank, or
>>>>     launchpad)
>>>> -  Malicious Javascript looks through your history (yes, it can do this)
>>>>      to find recently visited sites that it knows about
>>>
>>>
>>> Just tooting my own horn: detecting browser's history is very easy to do, we
>>> implemented it in http://watsec.com/myip
>>>
>>
>> How is this accomplished? I'm rather disgusted that enabling js can let
>> people know who my bank is.
>
> It creates invisible links to each site with special CSS set on them,
> then checks to see what colour the browser has rendered them.  If it
> renders them in the "visited" colour, then you've been there recently.
>

You have to give people credit for coming up with that. So then I guess 
this would limit a potential cracker to the sites they choose to check 
you for.

See, I hated js for accessibility reasons, I didn't realize it could be 
exploited in this way. I'll be tightening up noscript.

> Cheers,
>
> Eric
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org




More information about the kwlug-disc_kwlug.org mailing list