Data Security | News
- By Dian Schaffhauser
Researchers at the University of California, San Diego said they're planning to broaden their research after they provided evidence earlier this month that Web sites and the advertisers on them can easily retain a history of the other sites you've recently visited--without your permission. According to the computer scientists, the front pages of the top 50,000 Web sites as ranked by Alexa include 485 that inspect style properties that can be used to infer the browser's history. Out those 485 sites, 63 actually transfer the browser's history to the network, a practice known as "history sniffing." One in the list--a porn site--appears in Alexa's top 100 sites.
The UC San Diego project examined whether anybody was actually using history sniffing--a practice first raised in the academic community a decade ago--to get at users' private browsing history. "We were able to show is that the answer is yes," said computer science professor and report co-author Hovav Shacham.
History sniffing can divulge private information such as what banks or competitive sites have been visited by the user. A cyber criminal could use detail about banks to know what type of banking page to serve up to a person in a phishing attack. Competitive site information could be used by advertising companies to build user profiles without their knowledge.
"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," he noted.
The latest versions of browsers Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists looked for. However, Internet Explorer doesn't. In addition, the researchers said anyone using anything but the latest versions of the patched browsers is also vulnerable.
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal and Campus Technology. She can be reached at firstname.lastname@example.org or on Twitter @schaffhauser.