OK, this is more fun than any immediate risk... Those of you who follow web security topics probably remember that until mid-2010, you could extract very substantial chunks of one's browsing history by applying distinctive styling to thousands of off-screen :visited links and then reading that information back through the getComputedStyle API or in a couple of related ways.
This loophole has been closed by making it practically impossible to programmatically measure any side effects of the styling applied to :visited links (spare for some relatively wonky redraw timing attacks). The information could be read back only with user's assistance, which seemed much less interesting for two reasons: 1) It is relatively difficult to come up with really compelling, casual interactions where the user would unwittingly divulge styling information on specially prepared links to a rogue website, 2) Even if you could come up with such an attack, you would be limited to probing roughly one visited link per click, so the throughput would be very low. Few months ago, I published a whimsical PoC showing that the first assumption may be somewhat short-sighted. True to my lifelong dream of becoming a fabulously wealthy game developer, I created this low-grade, knock-off version of Asteroids: http://lcamtuf.coredump.cx/yahh/ Today, I wanted to show an equally silly but less entertaining proof-of-concept that touches on the latter topic. The PoC shows how to measure the state of multiple links - possibly a dozen or so - with a single casual click: http://lcamtuf.coredump.cx/css_calc/ The PoC is based on carefully constructing Boolean operators with the extremely rudimentary subset of CSS permitted for :visited links. I don't want to spoil it all, but you can pull it off in a somewhat funny way. There is no game included; I was going to have a logo for this vulnerability instead, but my publicist didn't deliver (again). Cheers, /mz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
