Researchers Show JavaScript Allows Web History Sniffing

Researchers at the University of California, San Diego said they're planning to broaden their research after they provided evidence earlier this month that Web sites and the advertisers on them can easily retain a history of the other sites you've recently visited--without your permission. According to the computer scientists, the front pages of the top 50,000 Web sites as ranked by Alexa include 485 that inspect style properties that can be used to infer the browser's history. Out those 485 sites, 63 actually transfer the browser's history to the network, a practice known as "history sniffing." One in the list--a porn site--appears in Alexa's top 100 sites.

According to a paper published on the topic, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications," the Web sites use the ubiquitous and highly useful JavaScript code for their behind-the-scenes sniffing work. JavaScript commonly provides interactive activities on a Web page. However, as is widely documented, the language also presents security vulnerabilities.

The UC San Diego project examined whether anybody was actually using history sniffing--a practice first raised in the academic community a decade ago--to get at users' private browsing history. "We were able to show is that the answer is yes," said computer science professor and report co-author Hovav Shacham.

History sniffing can divulge private information such as what banks or competitive sites have been visited by the user. A cyber criminal could use detail about banks to know what type of banking page to serve up to a person in a phishing attack. Competitive site information could be used by advertising companies to build user profiles without their knowledge.

"JavaScript is a great thing. It allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities," said computer science professor and co-author Sorin Lerner. "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."

The key to the research involves the color of links. The links for pages a user hasn't yet visited are blue; those that have been visited are purple. Dongseok Jang, a Ph.D. student in computer science, created a monitoring tool to check whether JavaScript existed within the page--including within any ads on the page--to inspect how the link is displayed. If the link is displayed as a visited link, the JavaScript then "knows" the target URL is in the user's history. It can then use a widget to "inspect the browser history systematically," the report states.

"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that," said Lerner. "Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on."

"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," he noted.

The latest versions of browsers Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists looked for. However, Internet Explorer doesn't. In addition, the researchers said anyone using anything but the latest versions of the patched browsers is also vulnerable.

The "paint" tracking approach to monitoring JavaScript could be useful for more than just history sniffing, Lerner explained. "It could be useful for understanding what information is being leaked by applications on Web 2.0 sites. Many of these apps use a lot of JavaScript." That's what they plan to study next, in a broadening of their research.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • stylized figures, resumes, a graduation cap, and a laptop interconnected with geometric shapes

    OpenAI to Launch AI-Powered Jobs Platform

    OpenAI announced it will launch an AI-powered hiring platform by mid-2026, directly competing with LinkedIn and Indeed in the professional networking and recruitment space. The company announced the initiative alongside an expanded certification program designed to verify AI skills for job seekers.

  • magnifying glass with AI icon in the center

    Google Intros Learning-Themed AI Mode Features for Search

    Google has announced new AI Mode features in Search, including image and PDF queries on desktop, a Canvas tool for planning, real-time help with Search Live, and Lens integration in Chrome. Features are launching in the U.S. ahead of the school year.

  • Analyst or Scientist uses a computer and dashboard for analysis of information on complex data sets on computer.

    Anthropic Study Tracks AI Adoption Across Countries, Industries

    Adoption of AI tools is growing quickly but remains uneven across countries and industries, with higher-income economies using them far more per person and companies favoring automated deployments over collaborative ones, according to a recent study released by Anthropic.

  • abstract pattern of cybersecurity, ai and cloud imagery

    OpenAI Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats

    A report from OpenAI identifies the misuse of artificial intelligence in cybercrime, social engineering, and influence operations, particularly those targeting or operating through cloud infrastructure. In "Disrupting Malicious Uses of AI: June 2025," the company outlines how threat actors are weaponizing large language models for malicious ends — and how OpenAI is pushing back.