How I tricked the whole Meetup into giving me their browser history through CSS
It all started on a late and thoughtful coding night whilst not being able to close my eyes until 4am. That night it came to me like a bolt: I can read the users history via CSS — can’t I? 🐒
The :visited
pseudo class seemed so determined for my evil plan. In combination with something likewindow.getComputedStyle
one could easily add a big bunch of links to a site and check the styles for having the :visited
styles.
Yes, there were times in which you could do it exactly like that (at times where Firefox 2 was still fresh). Luckily this issue has been reported long time ago (e.g. read here or here) and it is good to know that we are safe.
But wait! I can trick you into telling me where you’ve been
Let’s conclude: I am not able to programmatically detect :visited
styles. But I could kindly ask the user to approve the :visited
state 😈
So I made a simple game that has 3 SVG Circles: A big circle that is either blackish or greenish and two circles below of which one is blackish and the other one is greenish. The user is then asked to press the according button of what is shown in the circle above. Doing that the user tells me if it is a link with :visited
styles or not. Gotcha!
Is that a major security risk now?
Rather an individual level privacy risk than a major security risk. The bad thing about this is that it is so sneaky.
If you’re the type of person that thinks that this is a very made-up scenario anyway and that you would not fall for this: You are so wrong. With the same technique you are able to make visually invisible buttons. E.g. on a landingpage I could use this to determine if you’ve already been on a competitors site and provide you with a bigger discount (which would in fact be a good thing for you).
Just think a bit further — let your creativity flow.
Conclusion
When you are on a page that is not familiar to you and of which the intentions are not 100% clear: Use your incognito mode before any other action if you do not feel totally safe and comfortable. It could be your friend checking your history just for fun.