Browser Flaw Allows Website History Sniffing

Monday, December 06, 2010



Researchers at the University of California, San Diego have discovered a vulnerability that allows harvesting of the browser histories of Firefox and Internet Explorer users.

The flaw lets websites that contain some simple code to see what websites visitors have been to, and enables detailed profiling of users web habits.

The data collected could be used to refine targeted marketing techniques by advertisers and businesses, and it could also be used by criminal networks to perpetrate social engineering scams on unwitting surfers.

"Browser vendors should have fixed this a long time ago. It's more evidence that we not only needed the fix, but that people really should upgrade their browsers. Most people wouldn't know this is possible," said WhiteHat Security's Jeremiah Grossman.

The vulnerability also affects users of older versions of Chrome and Safari, but current versions offer protection from the exploit. Microsoft says the use of the private browsing option in Internet Explorer also offers protection.

The researchers identified at least 46 websites using the technique to gather visitor preferences and habits including two mainstream news sites, and, who blamed the presence of the code on their marketing strategy partner Interclick.

Interclick claims to have suspended the "experiment" in October, and stated that no user histories or profiles were retained.

The Federal Trade Commission has proposed a "do not track" tool to allow surfer's to opt out of the surreptitious tracking of browsing habits by advertisers, but the tool would not  actually protect users from this kind of history sniffing.


Possibly Related Articles:
Firefox Privacy Browser Security Headlines Sniffing Internet Explorer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.