Remember meForgot password?
    Log in with Twitter

article imageJavaScript error allows sites access to your browsing history

By Stephanie Dearing     Dec 7, 2010 in Internet
San Diego - The capability to violate privacy laws and gather information from people browsing the internet is more commonplace than people might suspect, thanks to a JavaScript error.
We've been warned to delete our browsing history from our browser cache on a regular basis. Now web surfers are being advised to use the latest versions of the browsers Firefox, Chrome or Safari's, because these browsers block history sniffing attacks say the researchers who uncovered how some websites can grab private data without permission of the site visitor. Internet Explorer is not recommended, nor are other browsers, because they do not block history sniffing.
Thanks to an unintentional error in JavaScript that colour codes sites a surfer has visited differently from those sites not visited, people can capture your browsing information without your permission. The intrusion has been called history sniffing. Computer Science Professor at the University of California, San Diego, Hovav Shacham said in a press release, "Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes."
History sniffing had been considered theoretically possible, but it until this study was undertaken, there was no proof that the theory had been put to use. "The researchers documented JavaScript code secretly collecting browsing histories of Web users through "history sniffing" and sending that information across the network ... the new work provides the first empirical analysis of history sniffing on the real Web," said the press release.
The information is used by some website owners and advertisers to build user profiles, collect information for phishing or to learn what sites a surfer has visited. University of California's Sorin Lerner, who collaborated on the research, said "JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."
Using software designed by a University of California student, Dongseok Jang, the researchers analysed the top 50,000 websites and found 485 sites "... inspect style properties that can be used to infer the browser's history." 63 of those sites "transferred the browser's history to the network," and ultimately, "We confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100," said the researchers in their CCS 2010 paper, presented in October and now freely available online, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.
However, when it comes to evaluating the threat level history sniffing presents to surfers, the researchers said consumers should be more concerned about malware. Said Sacham, "I think people who have updated or switched browsers should now worry about things other than history sniffing, like keeping their Flash plug-in up to date so they don't get exploited. But that doesn't mean that the companies that have engaged in history sniffing for the currently 60 percent of the user population that is vulnerable to it should get a free pass."
More about History sniffing, Privacy violations, Internet, Browsing history
More news from
Latest News
Top News