CSS History Leak and how to prevent it even with enabled history [Firefox & Opera]

**sudar02** · 29.06.10, 19:40

Oh, well, that's perfect. Because NoScript is giving me hard time using the site.

**SBfreak** · 29.06.10, 19:45

SBi or what.cd??
You did allow sbi didn't you

**sudar02** · 29.06.10, 19:47

Originally Posted by SBfreak

SBi or what.cd??
You did allow sbi didn't you

Yeah, I allow almost everything except trackers. But most of the trackers are gazelle oriented so there's the problem :) I can't even look at the peerlist. xD

**Grambo** · 01.07.10, 05:29

I decided to turn history off and only use Speed Dial addon for FF.

**Instab** · 24.07.10, 07:17

looks like they finally fixed it MFSA 2010-46: Cross-domain data theft using CSS

**Blocker** · 24.07.10, 18:00

Originally Posted by Instab

looks like they finally fixed it MFSA 2010-46: Cross-domain data theft using CSS

So does this firefox add-on will prevent CSS History Leak?

Description

Description

Google security researcher Chris Evans reported that data can be read across domains by injecting bogus CSS selectors into a target site and then retrieving the data using JavaScript APIs. If an attacker can inject opening and closing portions of a CSS selector into points A and B of a target page, then the region between the two injection points becomes readable to JavaScript through, for example, the getComputedStyle() API.

**anon** · 24.07.10, 18:01

Did you actually click on the link?

**Blocker** · 24.07.10, 18:17

Yap sorry ,it's a security announce not an add-on

**Ultraviolet** · 04.08.10, 21:24

Damn, guess I should have read this thread, before visiting what.cd in Firefox with SB-I still open...

Feel a little tension crawling up my spine, if my account will be disabled in a few ...seconds, days, weeks (?).

I'll keep you updated.

**anon** · 04.08.10, 21:26

In the meantime it'd be a good idea to shield yourself up.

Remember only setting layout.css.visited_links_enabled to false can protect you against the randomstring attack:
http://ha.ckers.org/weird/CSS-history.cgi

**Resurrection** · 05.08.10, 05:54

For firefox i started

Stanford SafeHistory

Stanford SafeCache

after i became a member of this site...

I'm sure most of you must have known about the plugins...Very handy tool to have when you are in the cheating business...

**Instab** · 05.08.10, 06:12

Originally Posted by Resurrection

For firefox i started

Stanford SafeHistory

Stanford SafeCache

after i became a member of this site...

I'm sure most of you must have known about the plugins...Very handy tool to have when you are in the cheating business...

yes, both are great but be sure to do the steps from our guide anyway

**anon** · 05.08.10, 14:38

Originally Posted by Resurrection

Stanford SafeHistory

Does this one protect you against the leak test I posted above you?

**Resurrection** · 05.08.10, 16:27

Haha...it told me a bunch of websites I've NOT visited and there is a blank in The following sites were visited: so I suppose I can log on to TL from here...

But I think the test is 2006 old...

Maybe codes have improved since...

I'd like to test these add-ons on a more modern script...

**anon** · 05.08.10, 16:29

TL isn't using the CSS leak.

The test may be somewhat old, but NoScript and the anti-leak stylesheet still don't seem to prevent it from reading your history, so...

Thread: CSS History Leak and how to prevent it even with enabled history [Firefox & Opera]

Thread Tools

Who Said Thanks:

Who Said Thanks:

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions