New css attack

Printable View

Show 40 post(s) from this thread on one page

07-06-2010, 10:45 PM
Tv Controls you

New css attack

http://img441.imageshack.us/img441/3937/dsfsdfsdf.png

Quote:

It uses the fact that properties within display: when combined with a:visited creates conditional logic. That condition will not fire certain things within the block. In this case I am including a nonexitant background image background: url(...); set in the CSS itself that is seemless to the user. The image actually points to a CGI script with the information about the URL that has been visited and is then logged along with the IP address of the user for later retrieval.

I took the picture with no-script and anti-css leak script running at the same time.
Pretty scary that this can make it past all this extra security.

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.
07-06-2010, 10:49 PM
anon

Re: New css attack

Using a separate browser for ~~What.cd~~ ~~trackers~~ sites that may attempt to read your history keeps on being the best choice.

Quote:

Originally Posted by Tv Controls you

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

What about disabling history entirely?
07-06-2010, 10:50 PM
Tv Controls you

Re: New css attack

Quote:

What about disabling history entirely?

I have not tried it yet....

here is the link to the test site. (the one I tested with, in the picture I uploaded)

http://ha.ckers.org/weird/CSS-history.cgi
07-06-2010, 10:56 PM
anon

Re: New css attack

Quote:

Originally Posted by Tv Controls you

http://ha.ckers.org/weird/CSS-history.cgi

It's the same in Opera. Even with history and JavaScript disabled and the anti-leak stylesheet.
07-06-2010, 10:58 PM
Slickerey

Re: New css attack

For some weird reason, it's not working with me. :blink:

I don't have the anti-leak script, NoScript, or anything else.
07-06-2010, 11:00 PM
anon

Re: New css attack

Quote:

Originally Posted by Slickerey

For some weird reason, it's not working with me. :blink:

I don't have the anti-leak script, NoScript, or anything else.

History disabled or private browsing maybe?
07-06-2010, 11:02 PM
Slickerey

Re: New css attack

I'm not using private browsing, but I am using custom settings for history.
07-06-2010, 11:03 PM
tesco

Re: New css attack

Quote:

Originally Posted by Tv Controls you

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

Well all browser makers are going to have to come up with something, and that probably means the w3c coming up with a new css spec for a:visited that disables background-urls that aren't inherited from a:link. :wacko:
07-06-2010, 11:05 PM
Tv Controls you

Re: New css attack

Quote:

Originally Posted by tesco

Quote:

Originally Posted by Tv Controls you

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

I'm missing how this is mozilla specific.
It will have the same effect in every browser that supports css a:visited. :wacko:

Yes, I know but Mozilla is the only one who will address this within the next year :P

IE will allow this to go on for ages, as they most likely don't care at all.
07-06-2010, 11:07 PM
Slickerey

Re: New css attack

Here are my settings in case anybody wishes to try them out...
http://lookpic.com/d2/i2/2646/yUevOJGE.png

Let us (FST) know if it works for you so we can spread the word. :P

Show 40 post(s) from this thread on one page