Researchers Show JavaScript Allows Web History Sniffing

• By Dian Schaffhauser
• 12/17/10

Researchers at the University of California, San Diego said they're planning to broaden their research after they provided evidence earlier this month that Web sites and the advertisers on them can easily retain a history of the other sites you've recently visited--without your permission. According to the computer scientists, the front pages of the top 50,000 Web sites as ranked by Alexa include 485 that inspect style properties that can be used to infer the browser's history. Out those 485 sites, 63 actually transfer the browser's history to the network, a practice known as "history sniffing." One in the list--a porn site--appears in Alexa's top 100 sites.

According to a paper published on the topic, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications," the Web sites use the ubiquitous and highly useful JavaScript code for their behind-the-scenes sniffing work. JavaScript commonly provides interactive activities on a Web page. However, as is widely documented, the language also presents security vulnerabilities.

The UC San Diego project examined whether anybody was actually using history sniffing--a practice first raised in the academic community a decade ago--to get at users' private browsing history. "We were able to show is that the answer is yes," said computer science professor and report co-author Hovav Shacham.

History sniffing can divulge private information such as what banks or competitive sites have been visited by the user. A cyber criminal could use detail about banks to know what type of banking page to serve up to a person in a phishing attack. Competitive site information could be used by advertising companies to build user profiles without their knowledge.

"JavaScript is a great thing. It allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities," said computer science professor and co-author Sorin Lerner. "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."

The key to the research involves the color of links. The links for pages a user hasn't yet visited are blue; those that have been visited are purple. Dongseok Jang, a Ph.D. student in computer science, created a monitoring tool to check whether JavaScript existed within the page--including within any ads on the page--to inspect how the link is displayed. If the link is displayed as a visited link, the JavaScript then "knows" the target URL is in the user's history. It can then use a widget to "inspect the browser history systematically," the report states.

"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that," said Lerner. "Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on."

"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," he noted.

The latest versions of browsers Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists looked for. However, Internet Explorer doesn't. In addition, the researchers said anyone using anything but the latest versions of the patched browsers is also vulnerable.

The "paint" tracking approach to monitoring JavaScript could be useful for more than just history sniffing, Lerner explained. "It could be useful for understanding what information is being leaked by applications on Web 2.0 sites. Many of these apps use a lot of JavaScript." That's what they plan to study next, in a broadening of their research.