http://img441.imageshack.us/img441/3937/dsfsdfsdf.png


It uses the fact that properties within display: when combined with a:visited creates conditional logic. That condition will not fire certain things within the block. In this case I am including a nonexitant background image background: url(...); set in the CSS itself that is seemless to the user. The image actually points to a CGI script with the information about the URL that has been visited and is then logged along with the IP address of the user for later retrieval.

I took the picture with no-script and anti-css leak script running at the same time.
Pretty scary that this can make it past all this extra security.

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

Using a separate browser for What.cd trackers sites that may attempt to read your history keeps on being the best choice.


*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

What about disabling history entirely?

What about disabling history entirely?

I have not tried it yet....

here is the link to the test site. (the one I tested with, in the picture I uploaded)

http://ha.ckers.org/weird/CSS-history.cgi

http://ha.ckers.org/weird/CSS-history.cgi

It's the same in Opera. Even with history and JavaScript disabled and the anti-leak stylesheet.

For some weird reason, it's not working with me. :blink:

I don't have the anti-leak script, NoScript, or anything else.

For some weird reason, it's not working with me. :blink:

I don't have the anti-leak script, NoScript, or anything else.

History disabled or private browsing maybe?

I'm not using private browsing, but I am using custom settings for history.

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

Well all browser makers are going to have to come up with something, and that probably means the w3c coming up with a new css spec for a:visited that disables background-urls that aren't inherited from a:link. :wacko:

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

I'm missing how this is mozilla specific.
It will have the same effect in every browser that supports css a:visited. :wacko:

Yes, I know but Mozilla is the only one who will address this within the next year :P

IE will allow this to go on for ages, as they most likely don't care at all.

Here are my settings in case anybody wishes to try them out...
http://lookpic.com/d2/i2/2646/yUevOJGE.png

Let us (FST) know if it works for you so we can spread the word. :P

Here are my settings in case anybody wishes to try them out...
*image*

With "history" I mean just your browsing history. :P

Judging from the screenshot, you've disabled it. That probably deals with this leak, just like it does with the "classic" one.

I'm missing how this is mozilla specific.
It will have the same effect in every browser that supports css a:visited. :wacko:

Yes, I know but Mozilla is the only one who will address this within the next year :P

IE will allow this to go on for ages, as they most likely don't care at all.Ya I misread I thought you were saying that this affected only firefox. :lol:
I edited my post.

Here are my settings in case anybody wishes to try them out...
http://lookpic.com/d2/i2/2646/yUevOJGE.png

Let us (FST) know if it works for you so we can spread the word. :P

Yes that is basically private browsing lol


Ya I misread I thought you were saying that this affected only firefox.
I edited my post.

It's fine, I just expect alot from firefox lol. :D

You absolutely have to love that extra security you're getting from disabling history. Hehe... :naughty:

You absolutely have to love that extra security you're getting from disabling history.

Shame only Firefox users seem to be able to claim that :ermm:

For a second there I thought about moving this thread to a more relevant forum.

Then I realized that this probably is the most relevant forum, as this is the forum where the people who visit are most likely to get their IP phished, and at the same time, most likely to care about getting their IP phished.

Isn't BT great.

:dabs:

For a second there I thought about moving this thread to a more relevant forum.

Then I realized that this probably is the most relevant forum, as this is the forum where the people who visit are most likely to get their IP phished, and at the same time, most likely to care about getting their IP phished.

Isn't BT great.

:dabs:

Lol I was debating on putting it in Internet, Programming and Graphics...

So what precisely is this detecting? Your browse history rather than the presence of a:visited? Because the description implied it was catching a cascaded event during the click of a link, but the test page did correctly detect a link visited while NOT viewing the page itself so that seems unlikely.

So what precisely is this detecting?

background:url plus a randomstring? You can check the source out here:
http://ha.ckers.org/weird/CSS-history.tar.gz

The following sites were visited:

That's what he gives me ... nothing more.

That site and What The Internet Knows About You still shows that I haven't visited anything.

I'm using Opera 10.60, the css fix, and history disabled.

As I understand it, disabling history prevents this attack, so that would explain it.

Is there a CSS fix you'd be able to employ against this, or is disabling history the only fix?

Seriously, you just need to know how to set up your browser... no addons, plugins, or VPNs to the Caymen Islands needed.

As I understand it, disabling history prevents this attack, so that would explain it.

Is there a CSS fix you'd be able to employ against this, or is disabling history the only fix?

My history isn't disabled and it still can't detect what sites I visited.

Is there a CSS fix you'd be able to employ against this, or is disabling history the only fix?

Can you check if setting layout.css.visited_links_enabled to false in about:config fixes the leak in Firefox with history enabled?

That appears to block the script's detection, yes.

layout.css.visited_links_enabled

I love you. I wanted to go peeking inside the settings to find exactly that, but was too lazy. :wub:

Thank you both for letting me know. :)