[kwlug-disc] DuckDuckGo.com -- an alternate search engine

Johnny Ferguson hyperflexed at gmail.com
Thu Jul 29 18:15:47 EDT 2010


On 07/29/2010 06:08 PM, Eric Gerlach wrote:
> Excerpts from Johnny Ferguson's message of Thu Jul 29 16:36:34 -0400 2010:
>> On 07/28/2010 11:12 AM, Fernando Duran wrote:
>>>
>>>
>>> ----- Original Message ----
>>>> From: Eric Gerlach<eric+kwlug at gerlach.ca>
>>> ...
>>>>
>>>> Attack #1: Using existing logins
>>>>
>>>> - You're logged into  a site you care about (let's say your bank, or
>>>>     launchpad)
>>>> -  Malicious Javascript looks through your history (yes, it can do this)
>>>>      to find recently visited sites that it knows about
>>>
>>>
>>> Just tooting my own horn: detecting browser's history is very easy to do, we
>>> implemented it in http://watsec.com/myip
>>>
>>
>> How is this accomplished? I'm rather disgusted that enabling js can let
>> people know who my bank is.
>
> It creates invisible links to each site with special CSS set on them,
> then checks to see what colour the browser has rendered them.  If it
> renders them in the "visited" colour, then you've been there recently.
>

Actually, I just thought of another countermeasure to this. One could 
specify User-agent CSS that sets all links to be the same colour. Still, 
that is a bit of an inconvenience just to use JS.

> Cheers,
>
> Eric
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org




More information about the kwlug-disc_kwlug.org mailing list