[kwlug-disc] DuckDuckGo.com -- an alternate search engine

Eric Gerlach eric+kwlug at gerlach.ca
Fri Jul 30 11:52:37 EDT 2010


Excerpts from Chris Irwin's message of Fri Jul 30 11:44:14 -0400 2010:
> On Thu, Jul 29, 2010 at 16:36, Johnny Ferguson <hyperflexed at gmail.com> wrote:
> > How is this accomplished? I'm rather disgusted that enabling js can let
> > people know who my bank is.
> 
> This can be done without javascript. Have an invisible link for bank1,
> set the :visited property to use background image
> "visited.php?url=bank1", repeat as necessary.
> 
> Even with javascript disabled, your browser will fetch the background
> image if you have visted that url before, and this will be logged
> server-side. No need to skip around the DOM tree with javascript and
> relay that data from the browser to the server. You just log it on the
> server directly.

True, but then it's harder for you to load your "check to see if they're
still logged into site X and then steal all their money/send spam from
their gmail/buy stuff from amazon" script and use that.  Much easier to
do if you're already checking stuff client-side.

And yes, these are all real, existing, javascript attacks (though I may
have exaggerated the "steal all your money" one... it might just be
"steal some of your money")

Cheers,

Eric




More information about the kwlug-disc mailing list