How I tricked the whole Meetup into giving me their browser history through CSS

David Lorenz
2 min readFeb 11, 2017

--

It all started on a late and thoughtful coding night whilst not being able to close my eyes until 4am. That night it came to me like a bolt: I can read the users history via CSS — can’t I? 🐒

The :visited pseudo class seemed so determined for my evil plan. In combination with something likewindow.getComputedStyle one could easily add a big bunch of links to a site and check the styles for having the :visited styles.

Yes, there were times in which you could do it exactly like that (at times where Firefox 2 was still fresh). Luckily this issue has been reported long time ago (e.g. read here or here) and it is good to know that we are safe.

But wait! I can trick you into telling me where you’ve been

Let’s conclude: I am not able to programmatically detect :visited styles. But I could kindly ask the user to approve the :visited state 😈

So I made a simple game that has 3 SVG Circles: A big circle that is either blackish or greenish and two circles below of which one is blackish and the other one is greenish. The user is then asked to press the according button of what is shown in the circle above. Doing that the user tells me if it is a link with :visited styles or not. Gotcha!

My Tell-Me-Your-History Game

Is that a major security risk now?

Rather an individual level privacy risk than a major security risk. The bad thing about this is that it is so sneaky.

If you’re the type of person that thinks that this is a very made-up scenario anyway and that you would not fall for this: You are so wrong. With the same technique you are able to make visually invisible buttons. E.g. on a landingpage I could use this to determine if you’ve already been on a competitors site and provide you with a bigger discount (which would in fact be a good thing for you).

Just think a bit further — let your creativity flow.

Conclusion

When you are on a page that is not familiar to you and of which the intentions are not 100% clear: Use your incognito mode before any other action if you do not feel totally safe and comfortable. It could be your friend checking your history just for fun.

--

--