CSS exploit allows detection of social site use

May 29, 2008 – 1:23 PM

Web developer Aza Raskin knows we visit Digg, Del.icio.us, Reddit and Facebook without even having to ask.

No, he isn’t employing privacy violating hackery, but he is exploiting a “cute” information leak in CSS that traditionally displays visited links differently than those that have yet to be visited. By loading in an iframe a list of social site URLs to see which are purple (visited) and blue (not visited), an assumption can be made on what sites to prompt users for submitting a story or blog entry.

Raskin has wrapped this functionality in a script called SocialHistory.js.

By employing this script on a blog, you can avoid showing users the traditional mass of social site icons, only a few of which they probably visit. In addition to the large list of social sites checked by SocialHistory — this includes more than 20 of the most-popular names — you additional ones that might be specific to your needs. For instance, you can check to see if the user has visited other blogs you author.

Raskin says while his script isn’t perfect, “it does get you 80% of the way there.” He also says there is little chance the bug — it’s documented in Bugzilla — will be fixed since it’s a core feature of the Web browser.

This script is similar to examples put together by Web technologist Niall Kennedy to evaluate links on a page. Kennedy also mentions another method of testing a known set of links against the current visitor’s browser history using JavaScript.

Data gleaned from either technique can be used for good or evil. Advertisers can determine if you’ve visited their site lately, and offer related information without the need for additional code on their site.

Privacy is a concern with Raskin and Kennedy’s scripts for many users. Unfortunately, in the case of the CSS exploit there isn’t much that can be done aside from turning off JavaScript, which will effectively disable either method. Unfortunately, this will also degrade your browsing experience however, and render many common Web apps useless.

For now, the use of such browser functionality is left up to the site administrator.

Source: Download Squad

You must be logged in to post a comment.