Mozilla Plugs The CSS History Leak

Martin Brinkmann
Mar 31, 2010
Updated • Jul 28, 2016
Firefox
|
13

All web browsers are currently vulnerable to a CSS history leak which enables attackers to test if a particular site was visited by a user in the browser used to connect to the site.

The CSS leak makes use of a feature of CSS that colors visited and non-visited links in a different manner. All the attacker needs to do is to display a huge list of possible sites on a page and check how the link color looks like to see if sites have been visited.

Basically, a huge list of links is added to a page (it can be hidden). The browser uses a different color for visited links, and the script on the site just needs to check which of the links match that color to know that a user went to that site before.

The scripts are currently testing more than 200K URLs per minute which should be enough to create a solid profile of nearly any web user.

Some factors mitigate the problem like clearing the history regularly.

Mozilla developers have now come up with a solution for the problem that applies three changes to the way links are styled in the web browser.

Mozilla Plugs The CSS History Leak

The Mozilla blog has a fairly long article up with technical detailsm as does David Baron whose solution was picked to plug the CSS History leak in the web browser.

The three changes take care of layout-based attacks, timing attacks, and computed style attacks.

  • layout-based attacks: Mozilla decided to limit the styling that can be done to visited links.
  • timing attacks: eliminates attacks that distinguish visited from unvisited links by measuring the time it takes to resolve those.
  • computed style attacks: returns the unvisited style if a script attempts to get the computed style of a link.

It is not yet clear when this will make its way into the Firefox web browser but it is likely that it will be implemented soon.

don't highlight visited links

Users who do not want to wait can protect their computer's from the leak by setting "layout.css.visited_links_enabled option in about:config to false" which has the consequence that no styling for visited links is displayed in the web browser.

Users of all web browsers who want to test what a script could find out about their surfing habits can visit the Start Panic website.

Update:

All modern browsers are protected against these kinds of attacks now.

The website mentioned in the last sentence should not display any sites that you have visited in the past if you are using a modern web browser.

There is no need anymore to restrict the styling of visited links in your web browser, but you can still do so if you want.

Summary
Mozilla Plugs The CSS History Leak
Article Name
Mozilla Plugs The CSS History Leak
Description
Mozilla has implemented a new security feature in the Firefox web browser that protects against leaks that reveal previously visited sites.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Ben Hunt said on December 21, 2010 at 10:11 pm
    Reply
  2. FL said on May 21, 2010 at 4:33 pm
    Reply

    This related article also highlights the concerns being raised:

    Most browsers silently expose intimate viewing habits

    * Alert
    * Print
    * Post comment

    Zip codes, news articles, free for the taking

    http://www.theregister.co.uk/2010/05/20/browser_history_attack/

    and gives the url:

    http://whattheinternetknowsaboutyou.com/
    putting more meat of those data breach bones.

  3. hh said on April 8, 2010 at 7:26 pm
    Reply

    Um, changing the colours will do nothing to fix the issue. It still can be sniffed via the CSS :visited pseudo-class.

  4. kingpin said on April 2, 2010 at 9:04 am
    Reply

    Hi Will,
    Thanks for help in IE8:)

    Now tell me what to do about opera?

    Anything I have to change in Opera: Preferences > Web Pages > Normal link color / Visited link color??

  5. Diego Alejandro Muñoz said on March 31, 2010 at 11:57 pm
    Reply

    You can check this site for more info and some solutions:

    http://whattheinternetknowsaboutyou.com/

  6. Will said on March 31, 2010 at 11:57 pm
    Reply

    Hi kingpin,

    IE: Internet Options > Appearance (Bottom) > Colors > Visited / Unvisited.

    Uncheck “Use Windows colors” if it is checked so you can change the options.

    Opera: Preferences > Web Pages > Normal link color / Visited link color

    See: http://www.opera.com/support/usingopera/operaini/#vlink

    Hope that helps,

    Will

  7. kingpin said on March 31, 2010 at 10:09 pm
    Reply

    Martin,
    Where do I set CSS visited links option in IE and Opera?As you can see I am not a firefox user.

    1. Martin said on March 31, 2010 at 10:26 pm
      Reply

      I’m not an expert on the topic but you could either change the colors of links and visited links to the same or disable the history in those web browsers. I do not think that they have an option to turn it off completely. I’m not sure on the effectiveness of this though, you may want to ask an expert on the topic or test it at the Panic site to see if they cannot identify the sites you have been on anymore after making the changes.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.