Your web history is not safe

Rudolph Muller

Rudolph Muller is the editor at MyBroadband and covers telecoms and broadband news. Rudolph comes from an academic background, but left the University of...

Full Profile

E-mail

Many Internet users may be under the impression that their web history is private, but a new website and online campaign exposes what may be a vulnerability present in most mainstream browsers.

A new online campaign, Startpanic, creates a list of websites that an individual user recently visited using what appears to be information gained from an Internet browser vulnerability.  The method through which this is done is not provided, but the fact that a browser’s history is so easily exposed should raise alarm bells.

Startpanic are gathering signatures in a petition with the request to patch the privacy vulnerabilities of different web browsers.  “This petition will be sent to the four major development companies – Mozilla, Apple, Microsoft and Opera Software. Join us for a safe and secure Internet!” the Startpanic website states.

According to feedback from online sources clearing your browser cache, deleting your cookies and clearing your history does not seem to influence the ability of Startpanic to gain access to your recently visited websites, but this seems to be inaccurate.  In a basic test using Firefox, clearing all private data including browser cache and cookies, resulted in a clear report where Startpanic could not retrieve any recently visited websites.

Nothing new

According to technology blogger Vitaly Sharovatov it is “possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user’s consent.”  Sharovatov points out that this is not a new issue, and that the original problem was highlighted as far back as October 2000.

Sharovatov writes that Startpanic has a txt database of thousands of URLs that are tested for being visited.  “You can check the code – it’s pretty straight forward – links from the database are appended to the iframe where :visited links are displayed and others are hidden, then current style of the current link is checked and if it’s hidden, this link is appended to the big list of visited links,” he says.

Sharovatov suggests three potential solutions to this problem:  1) try to protect :visited links computed style access, 2) limit support of :visited or 3) find a way around the problem.

Not very serious

According to Neology CIO Regardt Van de Vyver, a networking and Internet specialist, the ability to gain access to a browser’s web history through this CSS trick does constitute browser vulnerability, but he added that this type of information is often available anyway and of limited relevance.

A site would only be able to figure out if you’ve visited a specific site – finding all possible sites you may have visited would take far longer and most users would notice this rather quickly. He points out that Google aggregates all types of web history while many companies actively record and scrutinize employees’ web history as part of the official company policy.

Van de Vyver advises Internet users who would like to hide their web history to use private browsing options like InPrivate browsing in Internet Explorer or private browsing in Safari.  Users can also clear their private data regularly to avoid access to sensitive information.

Web history and privacy discussion