New css attack

**Tv Controls you** · 07-06-2010, 10:45 PM

It uses the fact that properties within display: when combined with a:visited creates conditional logic. That condition will not fire certain things within the block. In this case I am including a nonexitant background image background: url(...); set in the CSS itself that is seemless to the user. The image actually points to a CGI script with the information about the URL that has been visited and is then logged along with the IP address of the user for later retrieval.

I took the picture with no-script and anti-css leak script running at the same time.
Pretty scary that this can make it past all this extra security.

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

**anon** · 07-06-2010, 10:49 PM

Using a separate browser for ~~What.cd~~ ~~trackers~~ sites that may attempt to read your history keeps on being the best choice.

Originally Posted by Tv Controls you

*I can confirm however that private browsing does negate this new attack... But it's still sort of a pain to browse like that.

What about disabling history entirely?

**Tv Controls you** · 07-06-2010, 10:50 PM

What about disabling history entirely?

I have not tried it yet....

here is the link to the test site. (the one I tested with, in the picture I uploaded)

http://ha.ckers.org/weird/CSS-history.cgi

**anon** · 07-06-2010, 10:56 PM

Originally Posted by Tv Controls you

http://ha.ckers.org/weird/CSS-history.cgi

It's the same in Opera. Even with history and JavaScript disabled and the anti-leak stylesheet.

**Slickerey** · 07-06-2010, 10:58 PM

For some weird reason, it's not working with me.

I don't have the anti-leak script, NoScript, or anything else.

**anon** · 07-06-2010, 11:00 PM

Originally Posted by Slickerey

For some weird reason, it's not working with me.

I don't have the anti-leak script, NoScript, or anything else.

History disabled or private browsing maybe?

**Slickerey** · 07-06-2010, 11:02 PM

I'm not using private browsing, but I am using custom settings for history.

**tesco** · 07-06-2010, 11:03 PM

Originally Posted by Tv Controls you

Mozilla definitely needs to address this soon, as it is starting to get out of hand if you ask me....

Well all browser makers are going to have to come up with something, and that probably means the w3c coming up with a new css spec for a:visited that disables background-urls that aren't inherited from a:link.