Internet Privacy: Start Panic Tells You Where You Have Been
Start Panic is a free online service designed to highlight privacy issues in browsers by detecting sites visited in the past.
Internet privacy (also know as online privacy or web privacy) has become a hot topic in the past couple of years as privacy invasive marketing techniques and information-stealing malware has been on the rise.
Some users install security and privacy software on their system, for instance in the form of desktop applications or browser add-ons, to protect the system against possible data leaks and other privacy related issues that may occur.
Other common protective measures include clearing browser cookies regularly, or deleting the browsing history.
Start Panic
Start Panic tries to raise public awareness for Internet privacy issues on the service's website. The makers have implemented a script on the site that attempts to find out sites that the user visited in previous browsing sessions.
Two aspects make this interesting. The first is that it is a cross-browser solution.
It works in all major web browsers including Microsoft Internet Explorer, Mozilla Firefox, Opera, Google Chrome and Safari. The second aspect is that it will display results even if the user clears the web browser's history, cookies and cache regularly.
The reason here is that the browsing history gets recorded while the Internet browser is being used. While it may have been cleared recently, the most recent entries are still all accessible unless the history has been cleared right before the Start Panic website has been opened.
You can start the process by clicking on the lets start button there. It can take a minute or two before the results are displayed. The list should contain the list of websites that have been visited in this browsing session. It might contain more websites if the user is not deleting the history regularly.
Little is revealed about how the script does its magic but it seems to rely on JavaScript. Anyone with JavaScript disabled in the web browser does not have to fear this privacy issue.
The service seems to use style information to determine whether websites have been visited or not. The browser records those and will paint them different than links that have not been visited. It is very likely that only top sites are checked.
Update: Note that most browsers appear to have plugged the privacy issue, so that it is no longer possible to determine which sites have been visited using the site or script.
There’s something similar (but faster) at:
http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php
• The “InPrivate Browsing†feature of IE8 doesn’t allow for CSS visited link detection.
• The “Private Browsing†mode of Firefox 3.5 doesn’t allow for CSS visited link detection.
• The “Incognito†mode of Chrome 2.0 doesn’t allow for CSS visited link detection.
So:
• If you browse untrusted sites in private mode, those untrusted sites cannot sniff any visits at all.
• Or, if you browse trusted sites in private mode, visits to those trusted sites cannot be sniffed, even from non-private mode.
After analyzing it gave me… nothing. I clear browsing history and cookies regularly, but I already had visited a few sites in the same session. So at least these sited should have been on the list!!! I have Java installed and no, I don’t use a scriptblocker.
Still, I know that doesn’t mean that my IP-address or other information isn’t gathered and stored in databases on different sites. There is no way Start Panic can know that information.
Tried it and it works if I enable the site in NoScript.
This would seem to be a security hole to me. We all know that your ISP can see everyplace you visit but why should ANY random site using this technology be able to interrogate a person’s browser history??? Does not make any sense!
Knowing where you have visited could be advantageous to a site, particularly one that knows your real name, but what is the advantage for the user?
I signed the petition on the site. Hope something gets done about this.
Well aside from NoScript I have the SafeCache and SafeHistory extensions. Very much worth having those.
It’s from 2007 and it doesn’t need Javascript
http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript
@Martin
I am just fond of solving problems by ignoring them. :)
Privacy online is long gone. Disabling scripts reduces amount of information that can be gathered about you but hardly eliminates possibility.
This is hardly new. As far as I remember last one checked links for visited status.
Maybe I am jaded but these things don’t even scare me anymore. Viruses are real trouble. This is… just life online.
Hah so you’ve given up? I use NoScript :)