[go: nahoru, domu]
Jump to content

History sniffing

Edit links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Sohom Datta (talk | contribs) at 00:59, 16 November 2023. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

History sniffing is a class of web vulnerabilities and attacks that allow a website to track a user's web browsing history activities by recording which websites a user has visited and which the user has not.[1][2][3][4]

Background

Main articles: History of the World Wide Web, Web security, and Same-origin policy

Early browsers such as Mosaic and Netscape Navigator were built on the model of the web being a set of statically linked documents known as pages. In this model, it made sense for the user to known which documents they had previously visited and which they hadn't regardless of which document was referring to it.[5] Mosaic, one of the earliest graphical web browser, would use purple links to show that a page has been visited and blue links to show pages that had not been visited.[6][7] This paradigm stuck around and was subsequently adopted by all modern web browsers.[8]

Over the years, the web evolved from it's original model of static content towards favouring more dynamic content. In 1995, employees at Netscape add a scripting language, Javascript to its flagship web browser, Netscape Navigator. This addition allowed users to add interactivity to the web page via executing Javascript programs as part of the rendering process.[9][10] However, this addition came with a new security problem, that of these Javascript programs being able to access each other's execution context and being able to gain access to sensitive information about the user. As a result, shortly afterwards, Netspace Navigator introduced the same-origin policy, a security measure that prevented Javascript from being able to arbitrary access data in a different web page's execution context.[11] However, while the same-origin policy was subsequently extended to cover a large variety of features introduced prior to it's existence, it was never extended to cover the hyperlinks since it was percieved to have a negative effect on the users ability to browse the web.[8] This innocous omission would manifest into one of well known and earliest forms of history sniffing known on the web.[12]

History

One of the first publicly disclosed reports of a history sniffing exploit was made by Andrew Clover from Purdue University in a mailing list post on BUGTRAQ in 2002. The post detailed how by using Javascript a malicious website could determine if a given link was of a specific color, thus revealing if the link had been previously visited.[13] While this was initally thought of to be a theoretical exploit with little real world value, later research by Jang et. al. in 2010 revealed that many high profile website were using this technique in the wild to reveal user browsing data.[14] As a result of the publication of this research multiple lawsuits were filed against the websites that were found to have used history sniffing alleging a violation of the Computer Fraud and Abuse Act of 1986.[12]

In 2011, research by then Stanford graduate student Jonathan Mayers found that a advertising company Epic Marketplace Inc. had used history sniffing to collect information about the browsing history of users across the web.[15][16] As a part of a subsequent investigation by the Federal Trade Commision, it was revealed that Epic Marketplace had used history sniffing code as a part of advertisments in over 24000 web domains, such as the likes of ESPN, Papa Johns etc. The Javascript code allowed Epic Markteplace Inc to track if a user has visited any of over 54000 domains.[17][18] The resulting data was subsequently used by Epic Marketplace to categorize users into specific groups and serve advertistments based on the websites the user had visited. As a result, of this investigation, the Federal Trade Commision banned Epic Marketplace Inc. from conducting any form of online advertising, marketing etc for over twenty years. In addition to this Epic Marketplace Inc. was ordered to premanently delete and destory the data it had collected over the years of users browsing data.[19][20]

Threat model

The threat model of history sniffing relies on the adversary being able to direct the victim to a malicious website entirely or partially under the adversaries control. The adversary can accomplish this by compromising a previously good web page, by phishing the user to a web page which allows the user to load arbitrary code, or by the use of a malicious advertisement on an otherwise safe web page.[12][21]

References

  1. ^ Haskins, Caroline (2018-11-02). "Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History". Vice. Retrieved 2023-10-30.
  2. ^ Sanchez-Rola, Iskander; Balzarotti, Davide; Santos, Igor (2020-12-22). "Cookies from the Past: Timing Server-side Request Processing Code for History Sniffing". Digital Threats: Research and Practice. 1 (4): 24:1–24:24. doi:10.1145/3419473. S2CID 229716038.
  3. ^ Kikuchi, Hiroaki; Sasa, Kota; Shimizu, Yuta (2016). "Interactive History Sniffing Attack with Amida Lottery". 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). IEEE. pp. 599–602. doi:10.1109/IMIS.2016.109. ISBN 978-1-5090-0984-8. S2CID 32216851. Retrieved 2023-10-30.
  4. ^ Ali, Mir Masood; Chitale, Binoy; Ghasemisharif, Mohammad; Kanich, Chris; Nikiforakis, Nick; Polakis, Jason (2023). "Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors". Proceedings 2023 Network and Distributed System Security Symposium. Reston, VA: Internet Society. doi:10.14722/ndss.2023.24072. ISBN 978-1-891562-83-9. S2CID 257502501.
  5. ^ "WorldWideWeb: Proposal for a HyperText Project". www.w3.org. Retrieved 2023-11-15.
  6. ^ "Why are hyperlinks blue? | The Mozilla Blog". blog.mozilla.org. Retrieved 2023-11-15.
  7. ^ "EMail Msg". ksi.cpsc.ucalgary.ca. Retrieved 2023-11-15.
  8. ^ a b Weinberg, Zachary; Chen, Eric Y.; Jayaraman, Pavithra Ramesh; Jackson, Collin (2011). "I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks". 2011 IEEE Symposium on Security and Privacy. IEEE. pp. 147–161. doi:10.1109/SP.2011.23. ISBN 978-1-4577-0147-4. S2CID 10662023. Retrieved 2023-10-30.
  9. ^ "JavaScript 1.0 - 1995". www.webdesignmuseum.org. Retrieved 2020-01-19.
  10. ^ "Welcome to Netscape Navigator Version 2.0". netscape.com. 1997-06-14. Archived from the original on 1997-06-14. Retrieved 2020-02-16.
  11. ^ "Netscape 3.0 Handbook - Advanced topics". netscape.com. Archived from the original on 2002-08-08. Retrieved 2020-02-16. Navigator version 2.02 and later automatically prevents scripts on one server from accessing properties of documents on a different server.
  12. ^ a b c Van Goethem, Tom; Joosen, Wouter; Nikiforakis, Nick (2015-10-12). "The Clock is Still Ticking: Timing Attacks in the Modern Web". Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS '15. New York, NY, USA: Association for Computing Machinery: 1382–1393. doi:10.1145/2810103.2813632. ISBN 978-1-4503-3832-5.
  13. ^ "Bugtraq: CSS visited pages disclosure". seclists.org. Retrieved 2023-11-16.
  14. ^ Jang, Dongseok; Jhala, Ranjit; Lerner, Sorin; Shacham, Hovav (2010-10-04). "An empirical study of privacy-violating information flows in JavaScript web applications". Proceedings of the 17th ACM conference on Computer and communications security. CCS '10. New York, NY, USA: Association for Computing Machinery: 270–283. doi:10.1145/1866307.1866339. ISBN 978-1-4503-0245-6.
  15. ^ "Tracking the Trackers: To Catch a History Thief". cyberlaw.stanford.edu. Retrieved 2023-11-16.
  16. ^ Goodin, Dan. "Marketer taps browser flaw to see if you're pregnant". www.theregister.com. Retrieved 2023-11-16.
  17. ^ "FTC Final Order Prohibits Epic Marketplace From "History Sniffing"". JD Supra. Retrieved 2023-11-16.
  18. ^ "FTC Settlement Puts an End to "History Sniffing" by Online Advertising Network Charged With Deceptively Gathering Data on Consumers". Federal Trade Commission. 2012-12-05. Retrieved 2023-11-16.
  19. ^ Gross, Grant (2012-12-05). "US FTC bars advertising firm from sniffing browser histories". Computerworld. Retrieved 2023-11-16.
  20. ^ "FTC Settlement Puts an End to "History Sniffing" by Online Advertising Network Charged With Deceptively Gathering Data on Consumers". Federal Trade Commission. 2012-12-05. Retrieved 2023-11-16.
  21. ^ Sanchez-Rola, Iskander; Balzarotti, Davide; Santos, Igor (2020-12-22). "Cookies from the Past: Timing Server-side Request Processing Code for History Sniffing". Digital Threats: Research and Practice. 1 (4): 24:1–24:24. doi:10.1145/3419473.


Stub icon

This computer security article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=History_sniffing&oldid=1185328267"