Researchers Show JavaScript Allows Web History Sniffing

Researchers at the University of California, San Diego said they're planning to broaden their research after they provided evidence earlier this month that Web sites and the advertisers on them can easily retain a history of the other sites you've recently visited--without your permission. According to the computer scientists, the front pages of the top 50,000 Web sites as ranked by Alexa include 485 that inspect style properties that can be used to infer the browser's history. Out those 485 sites, 63 actually transfer the browser's history to the network, a practice known as "history sniffing." One in the list--a porn site--appears in Alexa's top 100 sites.

According to a paper published on the topic, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications," the Web sites use the ubiquitous and highly useful JavaScript code for their behind-the-scenes sniffing work. JavaScript commonly provides interactive activities on a Web page. However, as is widely documented, the language also presents security vulnerabilities.

The UC San Diego project examined whether anybody was actually using history sniffing--a practice first raised in the academic community a decade ago--to get at users' private browsing history. "We were able to show is that the answer is yes," said computer science professor and report co-author Hovav Shacham.

History sniffing can divulge private information such as what banks or competitive sites have been visited by the user. A cyber criminal could use detail about banks to know what type of banking page to serve up to a person in a phishing attack. Competitive site information could be used by advertising companies to build user profiles without their knowledge.

"JavaScript is a great thing. It allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities," said computer science professor and co-author Sorin Lerner. "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."

The key to the research involves the color of links. The links for pages a user hasn't yet visited are blue; those that have been visited are purple. Dongseok Jang, a Ph.D. student in computer science, created a monitoring tool to check whether JavaScript existed within the page--including within any ads on the page--to inspect how the link is displayed. If the link is displayed as a visited link, the JavaScript then "knows" the target URL is in the user's history. It can then use a widget to "inspect the browser history systematically," the report states.

"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that," said Lerner. "Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on."

"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," he noted.

The latest versions of browsers Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists looked for. However, Internet Explorer doesn't. In addition, the researchers said anyone using anything but the latest versions of the patched browsers is also vulnerable.

The "paint" tracking approach to monitoring JavaScript could be useful for more than just history sniffing, Lerner explained. "It could be useful for understanding what information is being leaked by applications on Web 2.0 sites. Many of these apps use a lot of JavaScript." That's what they plan to study next, in a broadening of their research.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • abstract illustration of a glowing AI-themed bar graph on a dark digital background with circuit patterns

    Stanford 2025 AI Index Reveals Surge in Adoption, Investment, and Global Impact as Trust and Regulation Lag Behind

    Stanford University's Institute for Human-Centered Artificial Intelligence (HAI) has released its AI Index Report 2025, measuring AI's diverse impacts over the past year.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • lightbulb

    Call for Speakers Now Open for Tech Tactics in Education: Overcoming Roadblocks to Innovation

    The annual virtual conference from the producers of Campus Technology and THE Journal will return on September 25, 2025, with a focus on emerging trends in cybersecurity, data privacy, AI implementation, IT leadership, building resilience, and more.

  • From Fire TV to Signage Stick: University of Utah's Digital Signage Evolution

    Jake Sorensen, who oversees sponsorship and advertising and Student Media in Auxiliary Business Development at the University of Utah, has navigated the digital signage landscape for nearly 15 years. He was managing hundreds of devices on campus that were incompatible with digital signage requirements and needed a solution that was reliable and lowered labor costs. The Amazon Signage Stick, specifically engineered for digital signage applications, gave him the stability and design functionality the University of Utah needed, along with the assurance of long-term support.