CSS History Leak and how to prevent it even with enabled history [Firefox & Opera]

**shoulder** · 03.07.09, 15:40

What is it?

Perhaps you've already heard or know about it.

As you can see, your browser differences between nonvisited and already visited links. By default, different colors are used, traditionally blue and purple, respectively. This makes it possible for a "hit and miss" principle attack to "read" your history, even without JavaScript.

How does it work?

In principle, it's very simple.

A hidden iFrame loads a lot of hidden links. There will be a Cascading Style Sheet provided to the browser to "poll" if one of those links has already been visited.

A CSS is supplied, which forces the browser to check if any of these links is flagged as visited - and if so, to load a background image, which is different for each link.

This is on the same server from which the attack is being executed, or any other one the attacked has access to, and it's not a real image file, but a script that's stored and processed.

Example:
www.a.de (www.myserver.de/a.jpg)
www.b.de (www.myserver.de/b.jpg)
www.c.de (www.myserver.de/c.jpg)

If a link is visited, each respective background (shown above between parentheses) is loaded, and the script registers a hit.

This means that if the scripts logs a request for a.jpg and c.jpg, it means the user has visited www.a.de and www.c.de, but not www.b.de.

As you can see and I said before, it's based on a "hit and miss" principle, meaning it can't read the history directly, but only ask for specific links.

What's the danger?

Trackers could use this system to catch SB-I, SM, etc. users, which will certainly end up with a ban.

Can we prevent it?

Firefox

Yes. I'll show you how to do it in Firefox.

Inside your Firefox profile's directory, there's a folder called chrome, which contains a file called userContent.css. If it doesn't, create it. (Pay attention to the extension, it's not userContent.css.txt but userContent.css).

It'll have the following line:

PHP Code:


a:visited { background-image: none !important; }

This line globally disables background loading for visited links. The user-defined !important parameter overrides any Web site-defined CSS.

Does it work?

Yes, I have tested it.

The page below scans your history, and hits are visible on the left side. Even if just one appears, this means you're vulnerable to the attack.

Stealing your history...

Opera

Big Thx to anon for translation.

German

**noobglitch** · 04.07.09, 03:18

Any idea on how to prevent this? (java) Aside from using noscript.

http://www.making-the-web.com/misc/sites-you-visit/

**anon** · 04.07.09, 18:40

I think using NoScript is the only way - and avoiding things like this is what NS was designed for.

**noobglitch** · 05.07.09, 09:39

EDIT: The javascript leak works on opera

The css leak crashes opera

**alpacino** · 05.07.09, 10:26

Originally Posted by noobglitch

The javascript leak doesn't work on opera
The css leak crashes opera

If only opera had an adblock, I will use it as my default browser.

Sorry, I don't understand, are you saying Opera is 100% safe agains CSS history leak?
edit: ok understood.

**naughtydog** · 05.07.09, 10:35

Oh my God im scared now, can you create the userContent.css folder and put here so i just download it pls? I dont knw how to make a .css folder

**noobglitch** · 05.07.09, 10:39

Originally Posted by alpacino

Sorry, I don't understand, are you saying Opera is 100% safe agains CSS history leak?

My opera stop responding, while scanning (css leak). I have to force close it.

I got p3 500mhz, 256mb ram. Maybe you should try it on your rig.

In firefox, no crashes in javascript & css leak. And it scanned all my history!

EDIT: OMFG even in opera the javascript leak works!

**naughtydog** · 05.07.09, 10:43

In firefox, no crashes in javascript & css leak. And it scanned all my history!

I also tried and believe you me all my history is on there

need help with this as quick as I can.

**noobglitch** · 05.07.09, 11:01

I uploaded it for you

48 bytes
userContent.css

Path:
C:\Documents and Settings\XXXX\Application Data\Mozilla\Firefox\Profiles\XXX.default\chrome

**naughtydog** · 05.07.09, 11:09

Thanks noobglitch, i was putting in program files, mozilla, chrome.... i guess that was it. works fine now

**anon** · 05.07.09, 19:47

Originally Posted by noobglitch

The css leak crashes opera

Because of your low system resources. It needs a lot of power - I have an Athlon XP 3000+ and it greatly slows down the browser until I close it.

Also, in Opera, you can use BlockIt to avoid the JS leak.

**sbrocks** · 06.07.09, 07:55

Also, in Opera, you can use BlockIt to avoid the JS leak.

/offtopic

is there a sprits like adblocker in ff for opera to use?

/offtopic

**anon** · 06.07.09, 18:41

Opera has a built-in "content blocker". Download fanboy's Opera ad list and you should be fine.

**Haggar** · 07.07.09, 04:42

Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.

**alpacino** · 07.07.09, 04:51

Originally Posted by Haggar

Hi, tried both versions of that page script to detect my firefox history, but nothing was found, i never clean my browser's history, must be because i'm behind a router. So if that page can't detect my history maybe trackers can't either.

As I've been told before, this attack doesn't guesses your history, it works on a hit and miss basis to see if you visited some places. So to be safe, you can resort to using different browser to sb-i and trackers or cleaning up private data before login to trackers. Or if you use firefox, you could try the css fix by shoulder