What is it?

Perhaps you've already heard or know about it.

As you can see, your browser differences between nonvisited and already visited links. By default, different colors are used, traditionally blue and purple, respectively. This makes it possible for a "hit and miss" principle attack to "read" your history, even without JavaScript.

How does it work?

In principle, it's very simple.

A hidden iFrame loads a lot of hidden links. There will be a Cascading Style Sheet provided to the browser to "poll" if one of those links has already been visited.

A CSS is supplied, which forces the browser to check if any of these links is flagged as visited - and if so, to load a background image, which is different for each link.

This is on the same server from which the attack is being executed, or any other one the attacked has access to, and it's not a real image file, but a script that's stored and processed.

Example:
www.a.de (www.myserver.de/a.jpg)
www.b.de (www.myserver.de/b.jpg)
www.c.de (www.myserver.de/c.jpg)

If a link is visited, each respective background (shown above between parentheses) is loaded, and the script registers a hit.

This means that if the scripts logs a request for a.jpg and c.jpg, it means the user has visited www.a.de and www.c.de, but not www.b.de.

As you can see and I said before, it's based on a "hit and miss" principle, meaning it can't read the history directly, but only ask for specific links.

What's the danger?

Trackers could use this system to catch SB-I, SM, etc. users, which will certainly end up with a ban.

Can we prevent it?

Firefox

Yes. I'll show you how to do it in Firefox.

Inside your Firefox profile's directory, there's a folder called chrome, which contains a file called userContent.css. If it doesn't, create it. (Pay attention to the extension, it's not userContent.css.txt but userContent.css).

It'll have the following line:

a:visited { background-image: none !important; }

This line globally disables background loading for visited links. The user-defined !important parameter overrides any Web site-defined CSS.

Does it work?

Yes, I have tested it.

The page below scans your history, and hits are visible on the left side. Even if just one appears, this means you're vulnerable to the attack.

Stealing your history... (http://www.making-the-web.com/misc/sites-you-visit/nojs/)


Opera (http://www.sb-innovation.de/138961-post67.html)



Big Thx to anon for translation. :top:


German (http://www.sb-innovation.de/showthread.php?threadid=13724#post110942)

Any idea on how to prevent this? (java) Aside from using noscript.

http://www.making-the-web.com/misc/sites-you-visit/

I think using NoScript is the only way - and avoiding things like this is what NS was designed for.

EDIT: The javascript leak works on opera

The css leak crashes opera

The javascript leak doesn't work on opera
The css leak crashes opera

If only opera had an adblock, I will use it as my default browser.

Sorry, I don't understand, are you saying Opera is 100% safe agains CSS history leak?
edit: ok understood.

Oh my God im scared now, can you create the userContent.css folder and put here so i just download it pls? I dont knw how to make a .css folder

Sorry, I don't understand, are you saying Opera is 100% safe agains CSS history leak?

My opera stop responding, while scanning (css leak). I have to force close it.

I got p3 500mhz, 256mb ram. Maybe you should try it on your rig.

In firefox, no crashes in javascript & css leak. And it scanned all my history! :shockkk!:

EDIT: OMFG even in opera the javascript leak works!

In firefox, no crashes in javascript & css leak. And it scanned all my history!

I also tried and believe you me all my history is on there :rolling_eyes: need help with this as quick as I can.

I uploaded it for you :P 48 bytes
userContent.css (http://www.sendspace.com/file/q9rst7)

Path:
C:\Documents and Settings\XXXX\Application Data\Mozilla\Firefox\Profiles\XXX.default\chrome

Thanks noobglitch, i was putting in program files, mozilla, chrome.... i guess that was it. works fine now

The css leak crashes opera

Because of your low system resources. It needs a lot of power - I have an Athlon XP 3000+ and it greatly slows down the browser until I close it.

Also, in Opera, you can use BlockIt to avoid the JS leak.

Also, in Opera, you can use BlockIt to avoid the JS leak.

/offtopic

is there a sprits like adblocker in ff for opera to use?


/offtopic

Opera has a built-in "content blocker". Download fanboy's Opera ad list and you should be fine.

Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.

Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.

As I've been told before, this attack doesn't guesses your history, it works on a hit and miss basis to see if you visited some places. So to be safe, you can resort to using different browser to sb-i and trackers or cleaning up private data before login to trackers. Or if you use firefox, you could try the css fix by shoulder :top:

Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.

Unless you've got some fancy scripts installed to your router to filter webpages on the fly, that really shouldn't have anything to do with it.

Ok so the router has nothing to do with that, well just in case i always use opera for trackers and firefox for the rest.

Yes, the router shouldn't have anything to do with it. The JS leak requires JavaScript, so if you have NoScript installed, it may have blocked it, but the "no JS" one doesn't. History disabled or you didn't visit any site listed on the hidden links, perhaps?

I don't think so as the list includes sites as Google and Wikipedia, I'm pretty sure everyone has at least visited one of them once.

And YouTube, and Facebook... stupid me :redface:

At least SB-I isn't in the list :smile:

Is this safe, If I open SBI with firefox and open tracker with Opera?

Now, I must enter this php code to C:\Documents and Settings\XXXX\Application Data\Mozilla\Firefox\Profiles\XXX.default\chrome or not?
And I have NoScript addon and I should to forbid sb-i from the addon right or must be globally ?

Later Edit: After adding this php code can I use history safely ?

Now, can I must enter this php code to C:Documents and SettingsXXXXApplication DataMozillaFirefoxProfilesXXX.defaultchrome or not?
And I have NoScript addon and I should to forbid sb-i from the addon right or must be globally ?

well as far as i understood the scripts on the tracker pages are the problem , right ?
i myself use noscript too, but for some trackers you need it enabled in order to use the menu or to click some buttons...

edit:
oh and thanks OP for the tutorial, will surely implement it. i'm already pretty careful and am using different profiles in FF for almost everything

Is this safe, If I open SBI with firefox and open tracker with Opera?

Yes, if you are careful and never mix them, you should be safe.

Now, I must enter this php code to C:Documents and SettingsXXXXApplication DataMozillaFirefoxProfilesXXX.defaultchrome or not?
And I have NoScript addon and I should to forbid sb-i from the addon right or must be globally ?

Later Edit: After adding this php code can I use history safely ?

Reread the tutorial. You need to type the code inside userContent.css.

NoScript is to avoid the other "flavor" of leak, the JS one. Just install it and it should automatically ensure harmful scripts aren't run.

You can leave History enabled after applying this tweak.

Reread the tutorial. You need to type the code inside userContent.css.

NoScript is to avoid the other "flavor" of leak, the JS one. Just install it and it should automatically ensure harmful scripts aren't run.

You can leave History enabled after applying this tweak.

Yes I typed this code inside in userContent.css and for some trakers I must enable java on noscript bcz it's impossible to browse. And with userContent.css and noscript can I use same browser on sb-i and x264 now with forbiding on noscript for x264 ?

And with userContent.css and noscript can I use same browser on sb-i and x264 now with forbiding on noscript for x264 ?

Yes, considering you're no longer vulnerable to the NoJS leak, and NoScript is blocking an malicious script from x264, you should be safe.

I have a question: where exactly should the userContent.css be created? Because I have two subfolders called "chrome"

C:Arquivos de ProgramasMozilla Firefoxdefaultsprofilechrome
and
C:Documents and SettingsmynameDados de aplicativosMozillaFirefoxProfiless6efij3m.defaultc hrome
Both have two files userContent-example.css and userChrome-example.css

Because I have two subfolders called "chrome"

The second one :top:

I put this command on both of them. And in the second one have some things like that ( /* Begin - Smart Bookmarks Bar CSS Imports */
@import url("chrome://smartbookmarksbar/skin/global/base.css") ).This can be a problem ?

Looks like something related to the Bookmarks bar. Shouldn't be a problem.

If in doubt, apply shoulder's tweak, visit Google, Wikipedia, etc., and see if the "Stealing your history" link can see you've visited those.

Sorry but can you explain more.

You probably have the "Smart Bookmarks Bar" Firefox addon installed, which needs those entries to work.

You probably have the "Smart Bookmarks Bar" Firefox addon installed, which needs those entries to work.

That's correct.

Working fine.
Is this all I need to do to be safe from history leak problem?

Is this all I need to do to be safe from history leak problem?

Yes, apply this tweak and use NoScript for Firefox or BlockIt for Opera to avoid the other, JS-based leak. You're then safe.

U can use FF 3.5 private browsing for Sb-I and use normal browsing for trackers.
Browse trackers in one browser & SB-I in another browser
simple :smile:

U can use FF 3.5 private browsing for Sb-I and use normal browsing for trackers.

That should work, too. Same goes for different profiles or Iron's Incognito mode. :tongue:

Can u give me a link to Iron :wink:

Search for t- never mind.

SRWare Iron - The Browser of the Future (http://www.srware.net/en/software_srware_iron.php)

would HistoryBlock ff addon handle this problem?
I've blocked SBI from showing in history.

By preventing SB-I from being added to your history, it should, too.

---------- Post added at 14:56 ---------- Previous post was at 14:32 ----------

I forgot to say, you can always take both "Stealing your history" tests to be sure anyway.

you can always take both "Stealing your history" tests to be sure anyway.
Sorry to ask, one test is this one posted by Shoulder:
Stealing your history... (http://www.making-the-web.com/misc/sites-you-visit/)
This one doesn't use javascript right? Which one is the other?

Sniffing Browser History: A Live Example (http://making-the-web.com/misc/sites-you-visit/)

Why to wait untill caught!!

How to use IE? With IE U Can delete all history files once u close it, so all what u have to do is to restart ur ie before

From the Internet Explorer menu bar select "Tools" and then click on "Internet Options".

From the Internet Options dialog box click on the tab at the top labeled "Advanced". Scroll all the way to the bottom of the list to the section labeled "Security". Place a check next to the item "Empty Temporary Internet Files folder when browser is closed" by clicking in the empty check box.

I know some people don't like to lose thier history frequently so use it if it fits ur needs

"Empty Temporary Internet Files folder when browser is closed" by clicking in the empty check box.

Doesn't that just clear the cache?

You could set IE to remember the history for "0" days, though.

There is an option in FF to also clear all history when you close it...The only thing I see that it will help is if you browse SB-I after you browse trackers beause if you browse SB-I before trackers than they can still see you...

I use Private Browsing in FF for security, that should prevent trackers to see where I have visted.

Is there a way to have both Private and Normal mode up at the same time in FF?

I tried to open up normal with private still on and the new browser turned private...

Is there a way to have both Private and Normal mode up at the same time in FF?

You can't. But you can still keep a separate profile for SB-I, set to delete private data after closing, and another one for trackers, and using different profiles at the same time is possible. :smile:

Hi, I always keep history disabled on firefox, is that enough to keep me safe then? The only option i have ticked there is "remember what i've downloaded".

Hi, I always keep history disabled on firefox, is that enough to keep me safe then? The only option i have ticked there is "remember what i've downloaded".
Yeah, I think you should be safe.
However, visit these websites below and make sure your browsing history isn't there ("0 pages found")

Sniffing Browser History: A Live Example (http://making-the-web.com/misc/sites-you-visit/)
Sniffing Browser History with NO Javascript! (http://making-the-web.com/misc/sites-you-visit/nojs/)


After I search more about this issue, I find that this is an old bug, reported in 2002 by David Baron for Firefox browser.

Bug 147777 - :visited support allows queries into global history
https://bugzilla.mozilla.org/show_bug.cgi?id=147777

Unfortunately, the userContent.css method only fix the CSS attack, but to disable javascript attack you have to use NoScript extension.
If you don't want to use NoScript extension, here's the easy way to fix this bug (Firefox only) :

http://img204.imageshack.us/img204/9118/layoutcssvisitedlinksen.png

- Type about:config in the address bar
- In the filter list, type layout.css.visited_links_enabled
- The default value is true, we must change the value to false
- Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
- Restart your firefox

I already test this method against the websites below and the history scan gives 0 result,
so this method should work against javascript and css attack.
Javascript Attack : Sniffing Browser History: A Live Example (http://making-the-web.com/misc/sites-you-visit/)
CSS Attack : Sniffing Browser History with NO Javascript! (http://making-the-web.com/misc/sites-you-visit/nojs/)

After I search more about this issue, I find that this is an old bug, reported in 2002 by David Baron for Firefox browser.

Bug 147777 - :visited support allows queries into global history
https://bugzilla.mozilla.org/show_bug.cgi?id=147777

Unfortunately, the userContent.css method only fix the CSS attack, but to disable javascript attack you have to use NoScript extension.
If you don't want to use NoScript extension, here's the easy way to fix this bug (Firefox only) :

...

Great work. I think I'll add this to the announcement.

- Type about:config in the address bar
- In the filter list, type layout.css.visited_links_enabled
- The default value is true, we must change the value to false
- Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
- Restart your firefox


what version of ff do you use, because i don't have that option? i have 3.0.11 version

because i don't have that option?

Perhaps you need to create it?

Perhaps you need to create it?
No, the option is already there in Firefox 3.5.1.


what version of ff do you use, because i don't have that option? i have 3.0.11 version
I'm using Firefox 3.5.1, you need to upgrade it at least to 3.5 to see layout.css.visited_links_enabled option.

Upgrade your Firefox to 3.5.1 :

In Firefox : Help -> Check for Updates

Or download the newest version directly from the official page :
Firefox Product Page : Firefox Browser | Free ways to customize your Internet (http://www.mozilla.com/en-US/firefox/personal.html)
Download Link : Mozilla Download (http://www.mozilla.com/products/download.html?product=firefox-3.5.1&os=win&lang=en-US)

I'm using Firefox 3.5.1, you need to upgrade it at least to 3.5 to see layout.css.visited_links_enabled option.

Good, I have added this info and the tweak to our security announcement.

Update
After I do several tests, userContent.css can't protect you against this CSS attack and its variation :



userContent.css
a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
}


CSS Attack 1, userContent.css will protect you against this attack


<style type="text/css">
#link1 {
color: blue;
}

#link1:visited{
color: red;
background: url(/log.php?visited_url=en.wikipedia.org);
}
</style>

<a id="link1" href="http://en.wikipedia.org/">Wikipedia</a>


CSS Attack 2, userContent.css won't protect you against this attack


<style type="text/css">
#link1 {
color: blue;
}

#link1:visited randomstring{
color: red;
background: url(/log.php?visited_url=en.wikipedia.org);
}
</style>

<a id="link1" href="http://en.wikipedia.org/"><randomstring>Wikipedia</randomstring></a>


Yeah, just by adding <randomstring> tag it will bypass userContent.css protection.
Therefore, I recommended you upgrade to Firefox 3.5.1 and use layout.css.visited_links_enabled method to completely disable this attack.

and how I can enable it this ? It must be true or false ?

and how I can enable it this ? It must be true or false ?

set it to False in FireFox 3.5 or higher following the instructions below.



- Type about:config in the address bar
- In the filter list, type layout.css.visited_links_enabled
- The default value is true, we must change the value to false
- Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
- Restart your firefox

and how I can enable it this ? It must be true or false ?

Atlantis, see my previous post :
http://www.sb-innovation.de/showthread.php?threadid=13725&page=4#post116433

The default value for layout.css.visited_links_enabled is true, you must change it to false, by toggling it.

Actually my scans are clear but I'll set it to false for more safe :smile:

Actually my scans are clear but I'll set it to false for more safe :smile:

Better do that. It takes just one minute, and will protect you against the second attack. :wink:

Thanks for all the info, Zorvak! :thumbsup:

Hi, so which things would be the best to use to prevent this? Noscript + Zorvak solution is enough? About noscript, are default settings too restrictive? which settings do you recommend for it? For Opera i disabled history and send referrer information.

Hi, so which things would be the best to use to prevent this? Noscript + Zorvak solution is enough? About noscript, are default settings too restrictive? which settings do you recommend for it? For Opera i disabled history and send referrer information.

If you don't care about web history, disabling it on any browser should be enough. Another nice measure is to use an exclusive browser for sb-i. :top:

Sb-i already has a de-referrer script in place, but if you want to be extra care, don't click on links from here, rather open a new window/tab and type the address yourself!

Hi, so which things would be the best to use to prevent this? Noscript + Zorvak solution is enough?

If you're going to use the same browser for SB-I and trackers, I'd disable history entirely since I don't care about it (but you can use Zorvak's solution if you do)+NoScript/BlockIt+disable referers or use the RefControl settings I posted on kazuya's thread.

I personally use a different browser from Xenocode for every connected tracker.

if u want to use firefox as ur browser to surf into SB-I must be do it at pprivate browsing..or more safer..do it with ie8..site works well with ie8 too private browsing..wont store history at all..

or more safer..do it with ie8..

IE8? Safer? :wink:

But if you only use it to browse SB-I, that'd be fine. I personally prefer to use different browsers for my trackers instead - only some of them are using this method!

Hi,

I have been using this config for some time already, and it works to prevent the leak on Opera. (Note I couldn't test the <randomstring> attack Zorvak mentioned above)

The procedure is more or less the same as with Firefox:


Open a Notepad window and enter the following:

a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
}



Save it somewhere (can be any folder; I chose %programfiles%\Opera\styles) as user.css. You must enclose the filename between quotes in Notepad, or else it'll save it as a TXT file.


Open Opera, and go to View -> Style -> Manage Modes.


Click on the Display tab, then "Choose..." your stylesheet. Go to the directory where you located user.css and select it. Now go to the Presentation Modes tab and make sure the "My style sheet" checkbox is ticked for both modes.

Note: if you have set custom preferences for sites in the past, this tweak may not apply for those. You should go to Tools -> Preferences -> Advanced -> Content -> Manage Site Preferences, highlight a site, click on Edit, then go to the Display tab and make sure your stylesheet is being used at the bottom. Repeat this for every site you've set custom preferences for.


You're now protected against the CSS attack "flavor", but read on - trackers could still check if you've visited SB-I via the JavaScript attack. On Firefox you could download the NoScript addon and be done. For Opera, we'll do something similar with an user script called BlockIt.



First of all, download it from here (http://my.opera.com/community/forums/topic.dml?id=241208). Save the file somewhere (I did it under %appdata%\Opera\Opera\profile\scripts, because I want all of Opera's files to remain together) as BlockIt.js.


After that, go to Tools -> Preferences -> Advanced -> Content -> JavaScript Options, and "Choose..." BlockIt's JS file at the bottom. Press OK on this and the Preferences Dialog to exit both.


Load any page (Google, for example), and you should notice an icon of a paper clip on the bottom right of the screen. Click it to open BIT's UI:


http://www.sb-innovation.de/attachment.php?attachmentid=5064


I'm not going to explain what every button does, you can read that below. For now, just know this means the addon is working, protecting you from malicious scripts.

Note: the same I mentioned for custom site preferences and your stylesheet applies here. Go to the Scripting tab, and "Choose..." BlockIt for every site.


Now I'd recommend you Tools -> Delete Private Data, mostly just in case and so as to start fresh.


Congratulations, you're done shielding your browser against this flaw. To check this, visit a popular page such as Google or Facebook, then go to this (http://www.whattheinternetknowsaboutyou.com/) site. BlockIt and the custom stylesheet should prevent the JS and CSS attacks, respectively, and thus the site shouldn't be able to show you the contents of your history. If it can, you've done something wrong.



FAQ

Q: Can't I just disable History?
A: That does NOT work on Opera.

Q: What do all those buttons on BlockIt do?
A: I'll just quote myself:

The #X# means that script/image/iframe is being blocked.
"Unblock" unblocks the specified/selected item from the page.
"T-unblock" reloads the page and temporarily allows all blockable items.
"Server" toggles blocking or unblocking of all items coming from the same server as the selected one.
"Preview" shows you the selected item: if it's a script, it'll open a new tab showing its source code. If it's an image, it'll show it to you. If it's an iframe, it'll open it in a new tab.

Q: I hate having to go to BIT and press All/T-Unblock every time I load a page. Is there a way to prevent it from hiding images?
A: By default, BIT blocks images hosted on sites outside of the one you're visiting as a security measure. You can change this by opening BlockIt.js, and editing the "var imgblockIt" line to read:

var imgblockIt = false;

If you have any other questions, just tell me.

Just wondering, does toggling the layout.css... make firefox take longer to browse?

But I've created my usercontent.css and toggled it to false, so thanks, this may save me a banning or two :)

Just wondering, does toggling the layout.css... make firefox take longer to browse?

Technically there's a performance impact, but it's less than negligible, so I'd say no.

Q: Can't I just disable History?
A: That does NOT work on Opera.
the css leak seems to be fixed here when just disabling history (addresses=0;dont save content) on op10.01?
your test link shows no visited links.

It didn't work when I typed that :tongue: Let me check.

Just wondering, does toggling the layout.css... make firefox take longer to browse?
It depends on your connection and the amount of "unvisited" links, background images, ... .

the css leak seems to be fixed here when just disabling history (addresses=0;dont save content) on op10.01?
your test link shows no visited links.

The check site isn't loading for me :mad:

Can anyone else check that? You can get a portable Opera 10.10 here (http://www.opera-usb.com/).

all you need is the firefox extension called SAFE HISTORY. It prevents java based and non-javabased attempts to steal your history.

all you need is the firefox extension called SAFE HISTORY. It prevents java based and non-javabased attempts to steal your history.

can anyone confirm that ?

Edit: http://www.making-the-web.com/misc/sites-you-visit/nojs/ it doesn't work anymore

all you need is the firefox extension called SAFE HISTORY. It prevents java based and non-javabased attempts to steal your history.

you can use your method or you can use anyone's else's method. Different strokes for different people, yes??

is there any other site for searching leak in css ?

Does this one work for you?

http://www.whattheinternetknowsaboutyou.com/

It loads for me, but the layout is destroyed and thus unusable.

Congratulations, we did not find anything in this category in your browser history.
Feel free to try our other browser history tests.

noscript forever :biggrin:

And this was with the Safe History addon? That's good to know.

without Safe History and with enabled history

Just noticed this edit :wink:


noscript forever :biggrin:

I assume you're the anti-leak stylesheet as well, otherwise the site I linked to could still scan your history without JS.

Congratulations, we did not find anything in this category in your browser history.
Feel free to try our other browser history tests.

I allowed for the site noscript and again I'm clean :) and I forgot to say, I have refcontrol addon too :smile:

Is there a way to have both Private and Normal mode up at the same time in FF?



I have found an experimental FF addon for that:

https://addons.mozilla.org/fr/firefox/addon/59736


This extension replaces firefox's default private browsing mode. Instead, it allows users to have private browsing and normal browsing windows simultaneously. Having both private and normal browsing windows enables you to do things like using two yahoo mail accounts or two facebook accounts simultaneously... one in a normal window and one in a private browsing window.

I have found an experimental FF addon for that:

https://addons.mozilla.org/fr/firefox/addon/59736

Look like the addon's had a short lifespan. Link no longer works.

Links for the CSS leak test also dead. Does anyone have a working link? Thanks

Also, with noscript is it enough to block sb-innovation.de or should i block scipts from any tracker I'm a member of?

Also, with noscript is it enough to block sb-innovation.de or should i block scipts from any tracker I'm a member of?

Blocking scripts is not enough to be safe from these attacks, because you will still be registering an history of pages you visited. My recommendation would be using an exclusive browser for sb-i or using the "private session" browsing feature most new browsers have, which don't keep history/cache or cookies from sessions.

Also, with noscript is it enough to block sb-innovation.de or should i block scipts from any tracker I'm a member of?

It's not our forum you have to block...

I'm using the custom stylesheet and disabled JavaScript for trackers using this method, with no real loss of functionality.

Blocking scripts is not enough to be safe from these attacks, because you will still be registering an history of pages you visited. My recommendation would be using an exclusive browser for sb-i or using the "private session" browsing feature most new browsers have, which don't keep history/cache or cookies from sessions.

Well I'm also using Refcontrol to block referrers. Is that enough?

I suppose yes.

Guys, i've found my the chrome folder in the firefox folder but the files is called "userChrome-example.css" and not "userContent.css". Problems?

Guys, i've found my the chrome folder in the firefox folder but the files is called "userChrome-example.css" and not "userContent.css". Problems?

these are just plain text files. just create what's not there ;)

these are just plain text files. just create what's not there ;)

I've to create userContent.css? But it's no better just not have it?

I've to create userContent.css?

The first post says that if it doesn't exist, you should create it... :unsure:

Watch out for the file extension, i.e. it's better to paste the contents in a new Notepad window, going to File -> Save As, browsing to the chrome directory and saving it as "userContent.css" WITH the quotes.

I've created a new Notepad saved with the name "userContent.css" (WITH .css extension and WITH the quotes).

Then into it i've pasted


a:visited { background-image: none !important; }

Right? I'm ok now?

Anon, a technical information: Why with the quotes?

Yes, you should be fine.


Anon, a technical information: Why with the quotes?

So that it gets saved as a CSS file and not a text one.

Anon, a technical information: Why with the quotes?

to be sure the extension is not replaced by the app in case it's unknown to it

Also, one might consider using stylish extension for firefox instead of userContent.css. That way you can use custom style on sites you need to do so, and don't break layout of others.

edit: BTW I'm in no way recommending custom stylesheets as a protection.

What.CD – Death of privacy - On A Soapbox (http://onasoapbox.co.uk/2010/05/12/what-cd-death-of-privacy/)

What.cd staff <333333

If you can't be bothered to read, here's a sample code for the CSS leak and a supposed list of URLs being checked by them, respectively:
Private Paste - Pastie (http://pastie.org/private/hscld6wxvfl3ynnjbwu8w)
Private Paste - Pastie (http://pastie.org/private/p8a9bemaax6md65qqrzima)

What.CD – Death of privacy - On A Soapbox (http://onasoapbox.co.uk/2010/05/12/what-cd-death-of-privacy/)

What.cd staff <333333

If you can't be bothered to read, here's a sample code for the CSS leak and a supposed list of URLs being checked by them, respectively:
Private Paste - Pastie (http://pastie.org/private/hscld6wxvfl3ynnjbwu8w)
Private Paste - Pastie (http://pastie.org/private/p8a9bemaax6md65qqrzima)

Too funny :)

hehe, yeah, can't stand what

What.CD – Death of privacy - On A Soapbox (http://onasoapbox.co.uk/2010/05/12/what-cd-death-of-privacy/)


I'm amazed by the comments on the article, very strange and surprising.

This is kinda funny, especially the list of links which are supposed to be checked. :P

Yes, the amount of links to a certain .de board is amazing. :shifty:

I've heard that one board is evil, you learn how to steal from thiefs over there, so I guess it's ok. :eek3:

I've heard their staff goes on power trips all the time Sorry, confused it with the tracker

---------- Post added at 18:27 ---------- Previous post was at 18:26 ----------

Still they have good connections to the staff

---------- Post added at 18:28 ---------- Previous post was at 18:27 ----------

At least one of them

---------- Post added at 18:29 ---------- Previous post was at 18:28 ----------

I wonder how it feels to be promoted to Moderator on What. :unsure:

The list contains youtube videos, never thought of searching for cheating methods over there !

---------- Post added at 22:32 ---------- Previous post was at 22:31 ----------



I wonder how it feels to be promoted to Moderator on What. :unsure:

would you take it if you had the chance?

would you take it if you had the chance?

I can't say I wouldn't. :shifty:

---------- Post added at 18:34 ---------- Previous post was at 18:33 ----------

I'd then reenable my first account and disable their anti-cheat scripts. :lol:

---------- Post added at 18:36 ---------- Previous post was at 18:34 ----------


The list contains youtube videos, never thought of searching for cheating methods over there !

YouTube has pretty much anything, ranging from scam videos to very professional video tutorials on how to do stuff.

oh yeah anon dont forget about little people hehe
we can supply u with a list for unbanning

OMG! I'm astonished by this! To tell you the truth, I never believed 100% that they were really using the CSS attack on people, and I was countering the attack just in order to be safe, to prevent any troubles etc. Now I'm really surprised and reading the links/article with some excitement. They have some user ids on watch and even who searches for the word "cheater" on their forums. Anyone who reads this article can clearly see, sb-i is their number one public enemy, they just love us. And we love them back. <3 what.cd staff (as anon would say).

Even with css bug unpatched the best way to counter is using a different browser

That's exactly what I do, up to this day. ;)

Yeah, one should keep in mind that substituting background image is not the only kind of exploit that can tell them where you were, so - different browsers or private mode FTW.

They have some user ids on watch

One of them's probably mine :tongue:

Just for the record, I'm using the same browser for SB-I and What.cd, fully protected against the CSS leak, and my accounts are still fine. I did use different browsers in the beginning, though.

Having the "SB" and "CD" favicons next to each other is so awesome...

One of them's probably mine :tongue:

Just for the record, I'm using the same browser for SB-I and What.cd, fully protected against the CSS leak, and my accounts are still fine. I did use different browsers in the beginning, though.

Having the "SB" and "CD" favicons next to each other is so awesome...

If you just protect with css against :visited exploit you're still vulnerable to half a dozen ways to peek into your history file.


For example, a Web page could make some links hidden and some visible based on what sites are visited, and then determine what the user clicks on.

Maybe what.cd staff won't bother implementing any other check, but you saved my account by pointing me to this early in the beginning, I feel obliged to warn you that as long as there are traces in your history they could be dug up :top:

If you just protect with css against :visited exploit you're still vulnerable to half a dozen ways to peek into your history file.

Thankfully What.cd doesn't seem to be using them. :happy:

Just saw that posted list of probed sites from what.cd and had a nice laugh. :D

Anyway, I red through this whole thread and saw mentioned fix from Zorvak:


- Type about:config in the address bar
- In the filter list, type layout.css.visited_links_enabled
- The default value is true, we must change the value to false
- Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
- Restart your firefox

And would just remind you about this for people who wonder and don't want to spend time to investigate on their own as this seems to be just enough of protection. I don't use anything else (don't have noscript addon or any other specific custom option enabled) but my data doees not get leaked according to quite a few online testing tools, one of better being this one: Start Panicking! (http://startpanic.com/)

yes that is a good setting for FF. FF on thi feature is better than IE

Anyway, I red through this whole thread and saw mentioned fix from Zorvak:

Yes, that's mentioned on the security announcement. Good to give it a small bump nonetheless.

This is a brand-new article regarding the css history leak.
It says that people are also able to find who someone is living by simply using the css history data.
What they could find out:

*User's postcode
*What typed into a search engine
*Last read news-article

They called this leak 'history stealing'.
Furthermore they checked 270.000 Internet-Users and 76 % were vulnerably by the historie-stealing-attack.

source: heise (http://www.heise.de/newsticker/meldung/History-Stealing-2-0-Ich-weiss-wo-du-wohnst-1005016.html)

translated: by g00gle (http://translate.google.de/translate?u=http%3A%2F%2Fwww.heise.de%2Fnewsticker %2Fmeldung%2FHistory-Stealing-2-0-Ich-weiss-wo-du-wohnst-1005016.html&sl=de&tl=en&hl=&ie=UTF-8)

We can prevent such attacks, if we look at the way how they did it, so here's (http://w2spconf.com/2010/papers/p26.pdf) the official pdf about this attack, it is in english.


Regards,
td1

Edit: found some nice info (http://whattheinternetknowsaboutyou.com/docs/solutions.html)

FF-Extension which may help: click (https://addons.mozilla.org/en-US/firefox/addon/12312/)

info:

In Firefox 3.5, you can try the LinkStatus extension which can disable visited styles through the "Ignore :visited link style" option.

If you just protect with css against :visited exploit you're still vulnerable to half a dozen ways to peek into your history file

and if i don't keep any history files :wink: they can leak my ass then :biggrin:

LOL.
I checked it twice---> first i visited some general known sites.
After that i went to here (http://whattheinternetknowsaboutyou.com/) and made a check.
The results were not that good (site could steal my history).



After installing the FF-Addon 'Link-Status' (look in my previous post) and deleting my browser history + cache, i went to the same general known sites.

Few minutes later I checked this link (http://whattheinternetknowsaboutyou.com/) again, and VOILA i was not longer vulnerable.

No longer need to do anything.
This is the perfect solution for the SB-I users. ;-)

Regards,
td1

Edit: Remember to activate the option in the 'Link Status-Options, by default it is disabled !

and if i don't keep any history files :wink: they can leak my ass then :biggrin:

true :top:

unfortunately history is pretty convenient thingy, i personally couldn't do without.

checked the link but the site dösn't seem to work for me :P

I posted on previous page good "checking" website for people who want to test various solutions; here it is again:

Start Panicking! (http://startpanic.com/)

I however stick with most simple solution, editing one (1) option in about:config as mentioned on previous page as well.

I posted on previous page good "checking" website for people who want to test various solutions; here it is again:

Start Panicking! (http://startpanic.com/)

no result. just the words 'ready now!' and the following text

Correct? You bet. If you would like to protect your privacy online and want browser developers to patch this vulnerability, please sign our petition. Moreover, you can send your friend a special link via Startpanic.com mailing system. When your friend clicks it, you will receive the list of websites he has visited recently.

Yes, you don't leak anything. If you do it would show up in the "i know everything" , "here we go" list of pages... Try with some other browser or with turned off your, whatever setting you use for protection vs leak if you want too see demonstration...

nice test, needs js however

checked the link but the site doesn't seem to work for me :P

You've to enable javascript.

As far as Opera is concerned, anti-leak stylesheet + disabling JavaScript = win. Excepting maybe the randomstring attack. A good point for Firefox!

You've to enable javascript.

i did

hmm.., maybe you're naturally immune. :biggrin:

edit: Does it work with another browser ?

hmm.., maybe you're naturally immune. :biggrin:

hehe, indeed i have quite a tight setup here :P

Yes, you don't leak anything. ..

Maybe we should add ", anything that they detect" As Im sure there are other methods to detect privacy leaks

I don't know... If there is better method to test it out or if there is some webpage which can show you some vital leak from your browser that this test doesn't feel free to post it.

Maybe we should add ", anything that they detect" As Im sure there are other methods to detect privacy leaks

well, it's not that they'd hack the browser. with a proper cofigured router, and the usual noscript and all it should be quite nice

oooh nice comeback ;)


I don't know... If there is better method to test it out or if there is some webpage which can show you some vital leak from your browser that this test doesn't feel free to post it.

Why go far off into the internet where one has already been mentioned ;)

tokio's post 119 (http://www.sb-innovation.de/f59/css-history-leak-how-prevent-even-enabled-history-firefox-opera-13725/index8.html#post190511)


This is a brand-new article regarding the css history leak.
It says that people are also able to find who someone is living by simply using the css history data.
What they could find out:

*User's postcode
*What typed into a search engine
*Last read news-article

They called this leak 'history stealing'.
Furthermore they checked 270.000 Internet-Users and 76 % were vulnerably by the historie-stealing-attack.

source: heise (http://www.heise.de/newsticker/meldung/History-Stealing-2-0-Ich-weiss-wo-du-wohnst-1005016.html)

translated: by g00gle (http://translate.google.de/translate?u=http%3A%2F%2Fwww.heise.de%2Fnewsticker %2Fmeldung%2FHistory-Stealing-2-0-Ich-weiss-wo-du-wohnst-1005016.html&sl=de&tl=en&hl=&ie=UTF-8)

We can prevent such attacks, if we look at the way how they did it, so here's (http://w2spconf.com/2010/papers/p26.pdf) the official pdf about this attack, it is in english.


Regards,
td1

Edit: found some nice info (http://whattheinternetknowsaboutyou.com/docs/solutions.html)

FF-Extension which may help: click (https://addons.mozilla.org/en-US/firefox/addon/12312/)

info:



main info (http://translate.google.de/translate?u=http://www.heise.de/newsticker/meldung/History-Stealing-2-0-Ich-weiss-wo-du-wohnst-1005016.html&sl=de&tl=en&hl=&ie=UTF-8)
Just a cursory look will avail u this difference


Unfortunately, there is also a way to come without JavaScript on the browser history. Dabei nutzt ein Angreifer die Eigenschaft von Stylesheets, unterschiedliche Hintergrundbilder nachladen zu können, je nachdem ob die Seite bereits besucht wurde oder nicht. It uses an attacker the property of style sheets to be able to download different background images, not depending on whether the site was visited or not. Mit präparierten HTML-Seiten kann ein Angreifer dann ohne JavaScript die History abfragen, indem er beobachtet, ob die Seite Bilder nachlädt. Prepared with HTML pages, an attacker can then query the non-JavaScript History, by monitoring whether the page is reloading images. Janc und Olejnik haben auch diese Methode in ihren Test integriert, die nach ihren Angaben auch bei abgeschaltetem JavaScript und installierten Plug-ins wie NoScript funktioniert. Janc Olejnik and have incorporated this method in their test, they claim, even when the JavaScript and installed plug-ins such as NoScript does.

In startpanic (http://startpanic.com/) I wonder what happens when u turn js off regardless of whether css is on or off?


http://startpanic.com/en

In startpanic I wonder what happens when u turn js off regardless of whether css is on or off?

The "begin testing" button ceases to work :tongue:

So, I've done this userContent.css thing and it means that I can use trackers like what.cd in a same browser.

Only thing that worries me is that folder location. I don't have any folder called chrome in Application Data but in my Program files there's one called like that.

I guess you enabled the option to see hidden files right?

I guess you enabled the option to see hidden files right?

Nvm, Win7 users got a Roaming folder. Got it there and edited :D

You should have just used the search function from the upper-right corner of explorer :lol:

So, I've done this userContent.css thing and it means that I can use trackers like what.cd in a same browser.

Remember to disable JavaScript for What.cd as well, otherwise it's the same.

I decided to move to opera yesterday (from chrome)

I did everything mentioned here (read every single post!):
For firefox it works fine (Zorvak's solution + Noscript add-on + usercontent.css)
http://img203.imageshack.us/img203/396/screenshot1ke.jpg

However, for opera, it didn't work (I did everything in anon's post):
http://img404.imageshack.us/img404/5051/screenshot2z.jpg

Blockit add-on is working and it is blocking the script (#X#)

I normally use Chrome for browsing and firefox for trackers, I will still do the same but I will change Chrome to Opera. I want to know why it's not working for opera

You should disable JavaScript entirely for "sensitive" sites. But if you do, the test won't work. :lol:

In Opera, you should be shielded against the leak with JS disabled and the custom stylesheet, except the randomstring attack Zorvak once mentioned. Looks like that one can only be avoided with Firefox. :unsure:

You should disable JavaScript entirely for "sensitive" sites. But if you do, the test won't work. :lol:

Yes I know that, I used the "Partially allow for this page" in Noscript add-on to get the the test working.



In Opera, you should be shielded against the leak with JS disabled and the custom stylesheet,
What is the point of running Blockit then if I'm going to disable java script entirely. I thought Blockit allows you to control the script, when to disable it and when to enable it.

I think that Blockit is not doing its job correctly or I'm thinking that it does a job that's not assigned to it; how is the test working if Blockit is blocking the script.

its because lots of probes req js, and if u dont enabe it, those probes wont work

What is the point of running Blockit then if I'm going to disable java script entirely. I thought Blockit allows you to control the script, when to disable it and when to enable it.

What I meant is that BlockIt isn't always flawless. :unsure:


I think that Blockit is not doing its job correctly or I'm thinking that it does a job that's not assigned to it; how is the test working if Blockit is blocking the script.

You can go to Libble's login page, for eaxmple - if you get "you appear to have cookies disabled" (which makes sense, since it can't use JS to check if they're enabled) it's working.

So, if I set my Mozilla not to remember any history at all. Can I have what.cd and SBI opened at the same time?

Mozilla Firefox?

Then as far as I know, yes.

So, if I set my Mozilla not to remember any history at all. Can I have what.cd and SBI opened at the same time?



You've got it! :tongue:

btw, you could also use the addon for firefox.

Oh, well, that's perfect. Because NoScript is giving me hard time using the site.

SBi or what.cd??
You did allow sbi didn't you:unsure:

SBi or what.cd??
You did allow sbi didn't you:unsure:

Yeah, I allow almost everything except trackers. But most of the trackers are gazelle oriented so there's the problem :) I can't even look at the peerlist. xD

I decided to turn history off and only use Speed Dial addon for FF.

looks like they finally fixed it MFSA 2010-46: Cross-domain data theft using CSS (http://www.mozilla.org/security/announce/2010/mfsa2010-46.html)

looks like they finally fixed it MFSA 2010-46: Cross-domain data theft using CSS (http://www.mozilla.org/security/announce/2010/mfsa2010-46.html)

So does this firefox add-on will prevent CSS History Leak? :unsure: :confused:

Description


Description

Google security researcher Chris Evans reported that data can be read across domains by injecting bogus CSS selectors into a target site and then retrieving the data using JavaScript APIs. If an attacker can inject opening and closing portions of a CSS selector into points A and B of a target page, then the region between the two injection points becomes readable to JavaScript through, for example, the getComputedStyle() API.

Did you actually click on the link?

Yap sorry ,it's a security announce not an add-on :happy:

Damn, guess I should have read this thread, before visiting what.cd in Firefox with SB-I still open... :frown:

Feel a little tension crawling up my spine, if my account will be disabled in a few ...seconds, days, weeks (?).

I'll keep you updated.

In the meantime it'd be a good idea to shield yourself up.

Remember only setting layout.css.visited_links_enabled to false can protect you against the randomstring attack:
http://ha.ckers.org/weird/CSS-history.cgi

For firefox i started

Stanford SafeHistory (http://www.safehistory.com/)

Stanford SafeCache (http://www.safecache.com/)

after i became a member of this site...

I'm sure most of you must have known about the plugins...Very handy tool to have when you are in the cheating business...

For firefox i started

Stanford SafeHistory (http://www.safehistory.com/)

Stanford SafeCache (http://www.safecache.com/)

after i became a member of this site...

I'm sure most of you must have known about the plugins...Very handy tool to have when you are in the cheating business...

yes, both are great but be sure to do the steps from our guide anyway

Stanford SafeHistory (http://www.safehistory.com/)

Does this one protect you against the leak test I posted above you?

Haha...it told me a bunch of websites I've NOT visited and there is a blank in The following sites were visited: so I suppose I can log on to TL from here...

But I think the test is 2006 old...

Maybe codes have improved since...

I'd like to test these add-ons on a more modern script...

TL isn't using the CSS leak.

The test may be somewhat old, but NoScript and the anti-leak stylesheet still don't seem to prevent it from reading your history, so...

How could i tell its 2006 old???

Jeremiah Grossman: I know where you've been (http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html)

I think I'll stick with those add-ons until somebody tells me otherwise...


-----------------------------------------------------------------------------------

Hey check out the comments at the end of the page there....A few modern tests...

I entered the linux one and it still shows blanks...

Good to know...

Note that just in case this hasn't been mentioned before, Opera's private tabs completely shield you against the CSS leak:

http://www.sb-innovation.de/attachment.php?attachmentid=7891

If you're on a version with that feature (I don't know when they added it), disregard my long tutorial about it and just open trackers on private tabs. The only downsides are that if you close all private tabs, you'll be logged out of trackers, so be careful. Private tabs won't appear in the closed tabs list, also.

Keep on rocking What.cd, people! :glol:

If this (http://startpanic.com/) website is good enough to test the CSS leak, then I confirm that opening an 'incognito window' (equivalent to private tab in Opera an IE) in Chrome will also do the job.

I tried using the site in normal browsing and all my visited websites came up, tried it with this incognito window and nothing came up

I don't use Chrome, so thanks for testing. I ran that test on an Opera private tab, and it's the same - zero results.

after hitting start i just got a blank page. test passed i'd say :P

I'd like to believe the same. :gtongue:

Did you try the ha.ckers.org test? That one uses the randomstring attack.

ehm, not sure where it is on that site

CSS History Hack Without JavaScript (http://ha.ckers.org/weird/CSS-history.cgi)

CSS History Hack Without JavaScript (http://ha.ckers.org/weird/CSS-history.cgi)

yep, passed. got the following on a blank page

The following sites were visited:

nothing else

CSS History Hack Without JavaScript (http://ha.ckers.org/weird/CSS-history.cgi)
my msg

The following sites were visited:

Damn, guess I should have read this thread, before visiting what.cd in Firefox with SB-I still open... :frown:

Feel a little tension crawling up my spine, if my account will be disabled in a few ...seconds, days, weeks (?).

I'll keep you updated.

Update: It's been 1 month since this post and my account is still working.
*phew* ;-)

That's what I should get right...

http://www.sb-innovation.de/attachment.php?attachmentid=8927

:gyup:

someone can upload userContent.css ? I dont know how to make this ...

Notepad.

Is Chromium/Chrome affected by this hack? I've tried clicking anon's link and got a "The following sites were visited" message, but there's no list of the sites I'm currently surfing and those that I've been through.

Chrome is immune if you use incognito mode, that's for sure.

Yeah, but the problem is I wasn't the first few times I visited What. I've read on the link you've posted (the internets one) that current builds or Chrome and FireFox 3.7 RCs/4.0 were fixed but it still freaks me out. :D

FireFox 3.7 RCs

there is no 3.7rc afaik

there is no 3.7rc afaik

Yeah, I think Mozilla had some changed plans and dumped 3.7 allover. FF 4.0 might be immune too but it's still in beta.

New In Firefox 4.0:
CSS :visited selectors have been changed to block websites from being able to check a user's browsing history.

So now we can use the same browser to view both SB-I and What.CD in the same time ?

So now we can use the same browser to view both SB-I and What.CD in the same time ?

Most likely, YES.
But don't start using FF 4.0, until it becomes final.
There might still bugs / issues that might make it risky.

Same question for me. Is it safe to use FF4 in normal mode or do I have to start Private Browsing?

Just check it with the history test (http://ha.ckers.org/weird/CSS-history.cgi) on ha.ckers.org. If they can't see anything, neither can What.cd.

Same question for me. Is it safe to use FF4 in normal mode or do I have to start Private Browsing?

it's better to use private browsing or use another browser just for trackers

---------- Post added at 20:32 ---------- Previous post was at 20:07 ----------

Easier Way For This

Firefox :

Open about:config
Search for layout.css.visited_links_enabled
double click on it , you will see Value = false

The results showed none, even though I have layout.css.visited_links_enabled set to true.

The results showed none, even though I have layout.css.visited_links_enabled set to trü.

iirc that got fixed a few versions back

The results showed none, even though I have layout.css.visited_links_enabled set to true.

Using Firefox version??

I tried this yesterday on Chrome (latest dev release), opera 11.01 and Firefox 4 RC :
Chrome and Firefox Passed (The results showed none) , Opera Fail.

I was using Firefox 4 RC.

I'm using firefox 4RC too, I just feel tired because of using two browsers at the same time. Using NoScripts. I think it'll be fine :)

I tried this yesterday on Chrome (latest dev release), opera 11.01 and Firefox 4 RC :
Chrome and Firefox Passed (The results showed none) , Opera Fail.

Opera fails because the coders don't think this is a bug :rolleyes:


I was using Firefox 4 RC.

yeah fixed in ff4 but it's still a beta so be careful

I am using latest chrome in normal mode

The folloving sites were visited:none

So if this is what i get am I good to go with What and sb-i in the same browser?

Just to doublecheck :biggrin:

Opera fails because the coders don't think this is a bug :rolleyes:

Technically, it isn't. It's a standard and perfectly valid CSS feature being abused. Private tabs will do in Opera.

Technically, it isn't. It's a standard and perfectly valid CSS feature being abused. Private tabs will do in Opera.

If you read Microsoft or Google (don't remember really) Words About this , they said that this is invade of user's privacy (you have no rights to know what websites i opened ;) ) calling it a bug so they fixed it in the new versions except opera who said that the coders only fix bugs not a feature .

I didn't say I didn't agree nor that the Opera team shouldn't change that. You think I like letting trackers know where I've been?

The thing is, both whoever said that and the Opera guys are right. It is a privacy invasion that uses a standard CSS feature. It'd be nice if they did the same change as Firefox and Chrome, but as they see it there's no reason to do so.

I didn't say I didn't agree nor that the Opera team shouldn't change that. You think I like letting trackers know where I've been?

The thing is, both whoever said that and the Opera guys are right. It is a privacy invasion that uses a standard CSS feature. It'd be nice if they did the same change as Firefox and Chrome, but as they see it there's no reason to do so.

nor did i say that you like that :P , but i hope Opera will fix this issue soon

Am I safe with Google Chrome as long as I just delete my history before visiting a tracker? Should I delete my cookies too?

I am a little confused after reading the whole thread. Am I right on the following?

1. changing userContent.css can only solve PART of the problem;
2. disabling layout.css.visited_links_enabled should work;
3. using addon Noscript should be safe;
4. Firefox 4 and above should be safe.

For some reasons, I am still using Firefox 3.6. Also I feel Noscript is a little overkill. Does this mean that I have to use option 2 and lose the colouring feature for visited/unvisited links?

1. changing userContent.css can only solve PART of the problem;

This can only prevent the "real" CSS only leak.
It can has some downsides though.



2. disabling layout.css.visited_links_enabled should work;
That one I'm not sure about, never used this option.


3. using addon Noscript should be safe;
Not alone, this only prevents the JS based leak.


4. Firefox 4 and above should be safe.
I don't know which version exactly fixed this leak, so I can't tell you for sure Firefox 4 fixed it.



For some reasons, I am still using Firefox 3.6. Also I feel Noscript is a little overkill. Does this mean that I have to use option 2 and lose the colouring feature for visited/unvisited links?
Yes, you need to combine NoScript and the custom css, or just disable your history globally.
Also, using NoScript is always a good option.
And yes, you'll lose the coloring feature.

Am I safe with Google Chrome as long as I just delete my history before visiting a tracker? Should I delete my cookies too?

Just use incognito mode for trackers, it's less mind-boggling.

For the Firefox crowd, layout.css.visited_links_enabled=false is a catch-all solution. It prevents the leak at all times.

Just use incognito mode for trackers, it's less mind-boggling.

So it's safe to browse SB-I in a tab and w.cd in another one at the same time?

So it's safe to browse SB-I in a tab and w.cd in another one at the same time?



Yes. Incognito Mode will work with any tracker(s).

So it's safe to browse SB-I in a tab and w.cd in another one at the same time?

As long as at least one of those tabs is incognito, sure. And that way you don't need to worry about cookies and such, either. Once the window is closed, so are all traces.

FF12 and IE9 passed all test found in this thread, I guess this leak is fixed and no need to be afraid of running SB-I and trackers in same browser...

FF12 and IE9 passed all test found in this thread, I güss this leak is fixed and no need to be afraid of running SB-I and trackers in same browser...
could you tell what options you used? or any special settings, addons and so on?

No special options, no addons. Just checked latest Chrome, passed all three tests too.

What the Internet knows about you (http://www.whattheinternetknowsaboutyou.com/top20k)
ha.ckers.org/weird/CSS-history.cgi
Start Panicking! (http://startpanic.com/)

If you do this test IP check (http://ip-check.info/?lang=en) by JonDoFox, your browser will reveal many information, but latest one Browser history says Protected and on mouseover states "Modern browsers should not be affected by this attack. If you still have an old browser, please update it as soon as posible."
Explanation: "Your browser either does not store any website history or it does not mark visited web sites. In both cases you are protected."

I have history entries from year ago so I guess this leak is fixed on newest browser and What.CD or other trackers should not be able to detect that you are running SB-I tab next to theirs.

If you are paranoid you could just block sb-innovation.de with HistoryBlock addon for FF. Every time after page loads it will remove it from history. There will not be sb-innovation.de entries in history or any other domains you block.


could you tell what options you used? or any special settings, addons and so on?

I hope you're right and those tests are working fine but you should take into account that what.cd's mods are not humans! They are some machines from the future sent back in time to protect their freaking site where only the right ones shall exist. They love w.cd more than their own mothers. :rolleyes:

OK, you made me paranoid =)
I added sb-innovation.de domain to HistoryBlock =)
And I turned off accept third-party cookies so one domain can not access cookies from other.
If they figure me out I will let you know =)


I hope you're right and those tests are working fine but you should take into account that what.cd's mods are not humans! They are some machines from the future sent back in time to protect their freaking site where only the right ones shall exist. They love w.cd more than their own mothers. :rolleyes:

And I turned off accept third-party cookies so one domain can not access cookies from other.

That's not how it works. Sites can never "read" cookies from outside their domains.

1. I visit example1.com with 3rd party cookies enabled, and an image from adserver.com is loaded. They set a cookie, and of course my browser stores it.
2. I visit example2.net which has another image from adserver.com. The cookie that was set before is sent to them. Now they know I'm the same visitor as before, and can build a profile of my visits on any site they serve ads on, but they can't read my cookies in any of them - only their own.

With third-party cookies disabled, the cookie from adserver.com is never set in step 1, and of course they can't read it in step 2 either. Which still makes it a great idea, by all means.

Hello,

I remembered browsing this forum and saw a post that some trackers could find out if you're using this forum based on your browsing history and you will be instantly banned, is that true? If yes, what trackers implement that?

It is/was true.

I'm not sure about all browsers, but Firefox fixed the issue.

I remembered browsing this forum and saw a post that some trackers could find out if you're using this forum based on your browsing history and you will be instantly banned, is that true? If yes, what trackers implement that?

We have an announcement on the BT Talk section and subforums.

Announcements - BitTorrent Talk (http://www.sb-innovation.de/announcement.php?f=56)

This should be relevant : http://www.sb-innovation.de/showthread.php?threadid=13725

I understand so far what does!

I hear whispers setting the "Visited Links State" value to 0 in Opera fixes the leak, and with whispers I mean I verified it myself.

this is fixed on actual browsers? chrome, firefox? or still i should use another browsers for visit the forum

this is fixed on actual browsers? chrome, firefox? or still i should use another browsers for visit the forum

it's already fixed. No need to use different browsers.

Yes, this is already fixed in all major browsers (see gu5ter's posts at the top of this page), so this thread is another monument.

Special thanks go to KalPenn for being the first to share information about this exploit, and shoulder for taking the initiative to research it thoroughly and share solutions. Back in 2009 I had portable versions of Internet Explorer 7 and Safari I used just for trackers =]