December 02, 2010
Image credit: UC San Diego
History sniffing can be used by website owners to learn which competitor sites visitors have or have not been to. History sniffing can also be deployed by advertising companies looking to build user profiles, or by online criminals collecting information for future phishing attacks. Learning what banking site you visit, for example, suggests which fake banking page to serve up during a phishing attack aimed at collecting your bank account login information.
The latest versions of Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists monitored. Internet Explorer, however, does not currently defend against history sniffing. In addition, anyone using anything but the latest versions of the patched browsers is also vulnerable.
Sniffing out History Sniffing
The computer scientists looked for history sniffing on the front pages of the top 50,000 websites, according to Alexa global website rankings. They found that 485 of the top 50,000 sites inspect style properties that can be used to infer the browser's history. Out of 485 sites, 63 transferred the browser's history to the network. “We confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100,” the UC San Diego computer scientists write in the CCS 2010 paper:
Media Contact: Daniel Kane (858) 534-3262 or email@example.com