New css attack

[- - - Julia♥]

Here are my settings in case anybody wishes to try them out...
*image*

With "history" I mean just your browsing history.

Judging from the screenshot, you've disabled it. That probably deals with this leak, just like it does with the "classic" one.

 

[Abyel47]

It uses the fact that properties within display: when combined with a:visited creates conditional logic. That condition will not fire certain things within the block. In this case I am including a nonexitant background image background: url(...); set in the CSS itself that is seemless to the user. The image actually points to a CGI script with the information about the URL that has been visited and is then logged along with the IP address of the user for later retrieval.

I took the picture with no-script and anti-css leak script running at the same time.
Pretty scary that this can make it past all this extra security.

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

 

[lh1093]

Yes, I know but Mozilla is the only one who will address this within the next year

IE will allow this to go on for ages, as they most likely don't care at all.

Ya I misread I thought you were saying that this affected only firefox. :lol:
I edited my post.

 

[Tommy O]

Using a separate browser for What.cd trackers sites that may attempt to read your history keeps on being the best choice.

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

What about disabling history entirely?

 

[casie p]

What about disabling history entirely?

I have not tried it yet....

here is the link to the test site. (the one I tested with, in the picture I uploaded)

http://ha.ckers.org/weird/CSS-history.cgi

 

[Gigglygyal]

http://ha.ckers.org/weird/CSS-history.cgi

It's the same in Opera. Even with history and JavaScript disabled and the anti-leak stylesheet.

 

[chilling]

Yes that is basically private browsing lol

Ya I misread I thought you were saying that this affected only firefox.
I edited my post.

It's fine, I just expect alot from firefox lol.

 

[peehcm]

You absolutely have to love that extra security you're getting from disabling history. Hehe... :naughty:

 

[soccer princess♥]

For some weird reason, it's not working with me. :blink:

I don't have the anti-leak script, NoScript, or anything else.

 

[Tania S]

For some weird reason, it's not working with me. :blink:

I don't have the anti-leak script, NoScript, or anything else.

History disabled or private browsing maybe?

 

[Itachi587 (Bud)]

I'm not using private browsing, but I am using custom settings for history.

 

[call me daddy x]

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

Well all browser makers are going to have to come up with something, and that probably means the w3c coming up with a new css spec for a:visited that disables background-urls that aren't inherited from a:link. :wacko:

 

[mogley]

That site and What The Internet Knows About You still shows that I haven't visited anything.

I'm using Opera 10.60, the css fix, and history disabled.

 

[TheFamilyAccount]

You absolutely have to love that extra security you're getting from disabling history.

Shame only Firefox users seem to be able to claim that :ermm:

 

[Nicole]

I'm missing how this is mozilla specific.
It will have the same effect in every browser that supports css a:visited. :wacko:

Yes, I know but Mozilla is the only one who will address this within the next year

IE will allow this to go on for ages, as they most likely don't care at all.

 

[viky_khanna]

For a second there I thought about moving this thread to a more relevant forum.

Then I realized that this probably is the most relevant forum, as this is the forum where the people who visit are most likely to get their IP phished, and at the same time, most likely to care about getting their IP phished.

Isn't BT great.

:dabs:

 

[Allisonツ☮]

For a second there I thought about moving this thread to a more relevant forum.

Then I realized that this probably is the most relevant forum, as this is the forum where the people who visit are most likely to get their IP phished, and at the same time, most likely to care about getting their IP phished.

Isn't BT great.

:dabs:

Lol I was debating on putting it in Internet, Programming and Graphics...

 

[MELANiE♥]

Here are my settings in case anybody wishes to try them out...

Let us (FST) know if it works for you so we can spread the word.

 

[arturo m]

As I understand it, disabling history prevents this attack, so that would explain it.

Is there a CSS fix you'd be able to employ against this, or is disabling history the only fix?

 

[Fluffy Hamster]

So what precisely is this detecting? Your browse history rather than the presence of a:visited? Because the description implied it was catching a cascaded event during the click of a link, but the test page did correctly detect a link visited while NOT viewing the page itself so that seems unlikely.