+ Reply to Thread
Page 1 of 15 12311 ... LastLast
Results 1 to 15 of 223

Thread: CSS History Leak and how to prevent it even with enabled history [Firefox & Opera]

  1. #1
    Moderator
    shoulder's Avatar
    Join Date
    12.04.08
    Location
    I*** D* M*****
    Posts
    4,827
    Activity Longevity
    4/20 19/20
    Today Posts
    0/5 sssss4827

    CSS History Leak and how to prevent it even with enabled history [Firefox & Opera]

    What is it?

    Perhaps you've already heard or know about it.

    As you can see, your browser differences between nonvisited and already visited links. By default, different colors are used, traditionally blue and purple, respectively. This makes it possible for a "hit and miss" principle attack to "read" your history, even without JavaScript.

    How does it work?

    In principle, it's very simple.

    A hidden iFrame loads a lot of hidden links. There will be a Cascading Style Sheet provided to the browser to "poll" if one of those links has already been visited.

    A CSS is supplied, which forces the browser to check if any of these links is flagged as visited - and if so, to load a background image, which is different for each link.

    This is on the same server from which the attack is being executed, or any other one the attacked has access to, and it's not a real image file, but a script that's stored and processed.

    Example:
    www.a.de (www.myserver.de/a.jpg)
    www.b.de (www.myserver.de/b.jpg)
    www.c.de (www.myserver.de/c.jpg)

    If a link is visited, each respective background (shown above between parentheses) is loaded, and the script registers a hit.

    This means that if the scripts logs a request for a.jpg and c.jpg, it means the user has visited www.a.de and www.c.de, but not www.b.de.

    As you can see and I said before, it's based on a "hit and miss" principle, meaning it can't read the history directly, but only ask for specific links.

    What's the danger?

    Trackers could use this system to catch SB-I, SM, etc. users, which will certainly end up with a ban.

    Can we prevent it?

    Firefox

    Yes. I'll show you how to do it in Firefox.

    Inside your Firefox profile's directory, there's a folder called chrome, which contains a file called userContent.css. If it doesn't, create it. (Pay attention to the extension, it's not userContent.css.txt but userContent.css).

    It'll have the following line:
    PHP Code:
    a:visited background-imagenone !important; } 
    This line globally disables background loading for visited links. The user-defined !important parameter overrides any Web site-defined CSS.

    Does it work?

    Yes, I have tested it.

    The page below scans your history, and hits are visible on the left side. Even if just one appears, this means you're vulnerable to the attack.

    Stealing your history...

    Opera



    Big Thx to anon for translation.


    German



    ------------------------------>>>>>>>>>> <<<<<<<<<<------------------------------

    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    ParamouR (25.05.12) , Charlottenburg (10.05.12) , pleomax (31.03.12) , ErRor (11.08.11) , Lucius (06.08.11) , Socialdemo (16.04.11) , MiCRON (03.02.11) , Clair (21.10.10) , seldom (08.09.10) , Vuze-Sbi (23.07.10) , hellman (01.07.10) , Nobody (01.07.10) , _147258369_ (14.06.10) , sudar02 (07.06.10) , Extraterrestrial (27.05.10) , C3PO (21.05.10) , mmmmm (23.02.10) , leyla (16.12.09) , GotIt (07.12.09) , Nickname (12.08.09) , kelly (20.07.09) , divlord (16.07.09) , SealLion (16.07.09) , Tarantino (15.07.09) , rom08 (15.07.09) , cutiepie (15.07.09) , vDD+wR (06.07.09) , cheatos (06.07.09) , naughtydog (05.07.09) , alpacino (04.07.09) , Renk (03.07.09) , slikrapid (03.07.09) , anonftw (03.07.09) , KalPenn (03.07.09) , hitman (03.07.09) , Dark Knight (03.07.09) , splicer (03.07.09) , Mihai (03.07.09) , anon (03.07.09)

  3. #2

    Join Date
    28.06.09
    P2P Client
    utorrent
    Posts
    65
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss65
    Any idea on how to prevent this? (java) Aside from using noscript.

    http://www.making-the-web.com/misc/sites-you-visit/
    Last edited by noobglitch; 04.07.09 at 03:36. Reason: got it
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    I think using NoScript is the only way - and avoiding things like this is what NS was designed for.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  5. #4

    Join Date
    28.06.09
    P2P Client
    utorrent
    Posts
    65
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss65
    EDIT: The javascript leak works on opera

    The css leak crashes opera
    Last edited by noobglitch; 05.07.09 at 10:44. Reason: woops
    Reply With QuoteReply With Quote
    Thanks

  6. #5
    Advanced User alpacino's Avatar
    Join Date
    19.03.09
    Location
    locked in Alchemilla Hospital
    P2P Client
    none, just the toolz
    Posts
    2,059
    Activity Longevity
    5/20 18/20
    Today Posts
    1/5 sssss2059
    Quote Originally Posted by noobglitch View Post
    The javascript leak doesn't work on opera
    The css leak crashes opera

    If only opera had an adblock, I will use it as my default browser.
    Sorry, I don't understand, are you saying Opera is 100% safe agains CSS history leak?
    edit: ok understood.
    Last edited by alpacino; 06.07.09 at 00:06.
    it's hip to be square
    Reply With QuoteReply With Quote
    Thanks

  7. #6

    Join Date
    15.06.09
    Location
    Naughty Land
    P2P Client
    Bitcomet & Utorrent
    Posts
    246
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss246
    Oh my God im scared now, can you create the userContent.css folder and put here so i just download it pls? I dont knw how to make a .css folder
    Reply With QuoteReply With Quote
    Thanks

  8. #7

    Join Date
    28.06.09
    P2P Client
    utorrent
    Posts
    65
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss65
    Quote Originally Posted by alpacino View Post
    Sorry, I don't understand, are you saying Opera is 100% safe agains CSS history leak?
    My opera stop responding, while scanning (css leak). I have to force close it.

    I got p3 500mhz, 256mb ram. Maybe you should try it on your rig.

    In firefox, no crashes in javascript & css leak. And it scanned all my history!

    EDIT: OMFG even in opera the javascript leak works!
    Last edited by noobglitch; 05.07.09 at 10:42. Reason: omfg
    Reply With QuoteReply With Quote
    Thanks

  9. #8

    Join Date
    15.06.09
    Location
    Naughty Land
    P2P Client
    Bitcomet & Utorrent
    Posts
    246
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss246
    In firefox, no crashes in javascript & css leak. And it scanned all my history!
    I also tried and believe you me all my history is on there need help with this as quick as I can.
    Reply With QuoteReply With Quote
    Thanks

  10. #9

    Join Date
    28.06.09
    P2P Client
    utorrent
    Posts
    65
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss65
    I uploaded it for you 48 bytes
    userContent.css

    Path:
    C:\Documents and Settings\XXXX\Application Data\Mozilla\Firefox\Profiles\XXX.default\chrome
    Last edited by noobglitch; 05.07.09 at 11:03. Reason: rename
    Reply With QuoteReply With Quote
    Thanks

  11. #10

    Join Date
    15.06.09
    Location
    Naughty Land
    P2P Client
    Bitcomet & Utorrent
    Posts
    246
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss246
    Thanks noobglitch, i was putting in program files, mozilla, chrome.... i guess that was it. works fine now
    Reply With QuoteReply With Quote
    Thanks

  12. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by noobglitch View Post
    The css leak crashes opera
    Because of your low system resources. It needs a lot of power - I have an Athlon XP 3000+ and it greatly slows down the browser until I close it.

    Also, in Opera, you can use BlockIt to avoid the JS leak.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  13. #12

    Join Date
    15.06.09
    Posts
    153
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss153
    Also, in Opera, you can use BlockIt to avoid the JS leak.
    /offtopic

    is there a sprits like adblocker in ff for opera to use?


    /offtopic
    Reply With QuoteReply With Quote
    Thanks

  14. #13
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Opera has a built-in "content blocker". Download fanboy's Opera ad list and you should be fine.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  15. #14

    Join Date
    20.04.09
    Posts
    154
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss154
    Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.
    Last edited by Haggar; 07.07.09 at 04:42.
    Reply With QuoteReply With Quote
    Thanks

  16. #15
    Advanced User alpacino's Avatar
    Join Date
    19.03.09
    Location
    locked in Alchemilla Hospital
    P2P Client
    none, just the toolz
    Posts
    2,059
    Activity Longevity
    5/20 18/20
    Today Posts
    1/5 sssss2059
    Quote Originally Posted by Haggar View Post
    Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.
    As I've been told before, this attack doesn't guesses your history, it works on a hit and miss basis to see if you visited some places. So to be safe, you can resort to using different browser to sb-i and trackers or cleaning up private data before login to trackers. Or if you use firefox, you could try the css fix by shoulder
    Last edited by alpacino; 07.07.09 at 04:56.
    it's hip to be square
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread
Page 1 of 15 12311 ... LastLast

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •