O'Reilly logo

Programming Social Applications by Jonathan LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mining a User’s Browser History

Browsers natively integrate the ability to track the URLs that a user visits. They use this information to autocomplete links in the URL bar and to alter the color of clicked links. Malicious developers can take advantage of this native tracking functionality to help figure out which sites a user has visited, allowing them to launch more targeted phishing attacks against him.

In addition to the standard color of links within a web page, many sites implement link styles to change a link’s appearance when the user has visited it:

<style type="text/css">
   a:visited{ color:#c0c0c0; }
   a:link{ color:#000; }
</style>

In this scenario, attackers can check the link’s color to mine the browser history of the current user visiting the site. For instance, assume we have a few links defined on our site that link to other sources:

<a href="http://www.yahoo.com" id="link1">Yahoo!</a><br />
<a href="http://www.facebook.com" id="link2">Facebook</a>

Using the standard getComputedStyle JavaScript function, a developer can capture the color styling of those links to determine the user’s visited status:

<script type="text/javascript">
   var compStyle = getComputedStyle(document.getElementById("link1"), "")
   var color = compStyle.getPropertyValue("color");
</script>

Using these simple techniques as a base, malicious ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required