They’re ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox

Aurich Lawson / Metro-Goldwyn-Mayer

Chrome, Internet Explorer, and Firefox are vulnerable to easy-to-execute techniques that allow unscrupulous websites to construct detailed histories of sites visitors have previously viewed, an attack that revives a long-standing privacy threat many people thought was fixed.

Until a few years ago, history-sniffing attacks were accepted as an unavoidable consequence of Web surfing, no matter what browser someone used. By abusing a combination of features in JavaScript and cascading style sheets, websites could probe a visitor's browser to check if it had visited one or more sites. In 2010, researchers at the University of California at San Diego caught and 45 other sites using the technique to determine if visitors viewed other pornographic sites. Two years later, a widely used advertising network settled federal charges that it illegally exploited the weakness to infer if visitors were pregnant.

Until about four years ago, there was little users could do other than delete browsing histories from their computers or use features such as incognito or in-private browsing available in Google Chrome and Microsoft Internet Explorer respectively. The privacy intrusion was believed to be gradually foreclosed thanks to changes made in each browser. To solve the problem, browser developers restricted the styles that could be applied to visited links and tightened the ways JavaScript could interact with them. That allowed visited links to show up in purple and unvisited links to appear in blue without that information being detectable to websites.

Read 6 remaining paragraphs | Comments