Web browser history detection as a real-world privacy threat

Authors:
Artur Janc;Lukasz Olejnik
Affiliations:
-;-
Venue:
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Year:
2010

Citing 6
Cited 6

Timing attacks on Web privacy

Proceedings of the 7th ACM conference on Computer and communications security
Invasive browser sniffing and countermeasures

Proceedings of the 15th international conference on World Wide Web
Protecting browser state from web privacy attacks

Proceedings of the 15th international conference on World Wide Web
Social phishing

Communications of the ACM
Web Camouflage: Protecting Your Clients from Browser-Sniffing Attacks

IEEE Security and Privacy
A Practical Attack to De-anonymize Social Network Users

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy

Timing is everything: the importance of history detection

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Malice versus AN.ON: possible risks of missing replay and integrity protection

FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Scriptless attacks: stealing the pie without touching the sill

Proceedings of the 2012 ACM conference on Computer and communications security
The bug that made me president a browser- and web-security case study on helios voting

VoteID'11 Proceedings of the Third international conference on E-Voting and Identity
I know the shortened URLs you clicked on Twitter: inference attack using public click analytics and Twitter metadata

Proceedings of the 22nd international conference on World Wide Web
Flow stealing: A well-timed redirection attack

Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends

Quantified Score

Hi-index	0.01

Visualization

Abstract

Web browser history detection using CSS visited styles has long been dismissed as an issue of marginal impact. However, due to recent changes in Web usage patterns, coupled with browser performance improvements, the long-standing issue has now become a significant threat to the privacy of Internet users. In this paper we analyze the impact of CSS-based history detection and demonstrate the feasibility of conducting practical attacks with minimal resources. We analyze Web browser behavior and detectability of content loaded via standard protocols and with various HTTP response codes. We develop an algorithm for efficient examination of large link sets and evaluate its performance in modern browsers. Compared to existing methods our approach is up to 6 times faster, and is able to detect up to 30,000 visited links per second. We present a novel Web application capable of effectively detecting clients' browsing histories and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76% of Internet users are vulnerable to history detection, including over 94% of Google Chrome users; for a test of most popular Internet websites we were able to detect, on average, 62.6 (median 22) visited locations per client. We also demonstrate the potential to profile users based on social news stories they visited, and to detect private data such as zipcodes or search queries typed into online forms.