 Freie Software |
 p2p |
 Politik |
 Physik |
 Projekte |
 zurück |
 Rollenspiele |
 Geschichten |
 Gedichte |
 Lieder |
 Magie |
   
|
||||||||||
Your browser history can be sniffed with just 64 lines of Python (tested with Firefox 3.5.3)
- Start Panic! - a site dedicated to spreading the news about the vulnerability.
- What the internet knows about you - easily sniff yourself.
- Cute kitten - look at cute kittens. Does this look suspicious? :)
After the example of making-the-web, I was quite intrigued by the ease of sniffing the history via simple CSS tricks.
So I decided to test, how small I get a Python program which can sniff the history via CSS - without requiring any scripting ability on the browser-side.
I first produced fully commented code (see server.py) and then stripped it down to just 64 lines (server-stripped.py), to make it really crystal clear, that making your browser vulnerable to this exploit is a damn bad idea. I hope this will help get Firefox fixed quickly.
If you see http://blubber.blau as found, you're safe. If you don't see any links as found, you're likely to be safe. In any other case, everyone in the web can grab your history - if given enough time (a few minutes). This doesn't use Javasrcipt.
It currently only checks for some selected websites and doesn't keep any logs in files (all info is in memory and wiped on every restart), since I don't really want to create a full fledged history ripper but rather show how easy it would be to create one.
Konqueror seems to be immune: It also (pre-)loads the "visited"-images from not visited links, so every page is seen as visited - which is the only way to avoid spreading my history around on the web!
So please don't let your browser load anything depending on the :visited state of a link tag! It shouldn't load anything based on internal information, because that always publicizes private information - and you don't know who will read it!
In short: Don't keep repeating Ennesbys Mistake:
Mistake:
Effects:
(comic strips not hosted here and not free licensed → copyright: Howard V. Tayler)
And to the Firefox developers: Please remove the optimization of only loading required css data based on the visited info! I already said so in a bug report, and since the bug isn't fixed, this is my way to put a bit of weight behind it. Please stop putting your users privacy at risk.
Usage:
- python server.py
start the server at port 8000. You can now point your browser to http://127.0.0.1:8000 to get sniffed :)
To get more info, just use ./server.py --help.
