For a while, I’ve been working on this. Now that I saw something similar on a Slashdot article I decided to publish my own research. The truth is that the problem uncovered by that article handles the problem of handling your own users – maybe other site’s users if they use those kind of tracking and an “exploiter” site includes that javascript.
My research showed me that a specially crafted site can track some of your steps and use that data for good, and evil. Some possible uses are to “index” the news you saw on Slashdot, Cnn, Etc… and create a profile that can be used to display better ads, or better content – by better, I mean something more at your “taste”. But it can also allow the obvious privacy issues, because you don’t actually give them permission to create that profile about you.
I could give more examples but I prefer to let people be creative about its uses, so I go to the example and the short explanation.
The example can be found here. You don’t need to follow this, but following it will demo you the full power of the script:
1. After you open the example page, click the “Did I Saw The Logo?”
2. Click the “Wikipedia – SL Benfica” link (opens in popup)
3. Click the “Did I Saw The Logo?” again.
4. Click the Eagle Logo on the rigth corner of the Wikipedia page.
5. Click the “Did I Saw The Logo?” again.
See those links that appear blue when you didn’t visit them? What happens when you see the linked page? The change colors. The links are not always blue, the designers can change this colors, but the point is who makes the correct color to appear in there? The browser. And how? Using your history…
So, javascript doesn’t let my site check your entire history, true, but it lets me “show” how much links I want. So what we could do, is to create a list of the possible urls the user could have visited. The next step? Check its color.
More variations and details could be added but I just want to add three more things:
1. Getting the color (or any of the other properties set by the so called pseudo-selector :visited) doesn’t get “updated” when the browser changes the values (colors, etc…). But there is a way of getting it still. Check the source code if you are interrested.
2. This research made me be afraid of some AJAX-powered sites. Why? Because while you are standing there looking at your stuff, mails, whatever, they can be downloading a list of URLs, checking them and uploading the results. Note to the noobs: you can create links that are not seen by the user.
3. This is a challenge to the browser developers. Fix this could mean the end of visited links colors, but I guess that half the way is done, and you only need to add some checks on the currentStyle (IE) and getcomputedStyle (W3C browsers) functions.
It’s an issue – and that’s why there are extensions like
NoScript for Firefox which enable you to turn off (crudely, but…) JavaScript – for your own safety.
This is a problem even
without JavaScript – using just simple (valid) CSS:
a:visited:after{content:url(http://www.wherever.com/transparent.gif);}
:after is not supported by IE6 (haven’t tried it in IE7), but
it is in other browsers and it is part of the standard.
To make this method useful you define the style as a style attribute for each link, calling transparent.gif&id, where each id is a
unique identifier. Then you look at the requests on your server anf twin the ids with the URLs.
Currently not working in most browsers as they don’t support pseudoclass selectors in style
attribute, but also, it is part of the standard.