Smart and worrisome concept. And if many people would disable their Javascript I would not get much analytical data from Google Analytics anymore for my website. Luckily I am also using Clicky in parallel with GA and which also supports non-javascript analytics. But still quite distressful..
Michel
· 2 years ago
Have you tried changing Firefox's configuration file to set browser.active_color, browser.anchor_color and browser.visited_color all to the same color?
Could that trick Spyjax?
Very evil either way.
Bas
· 2 years ago
Like people would deactivate javascript because of this... like the web would be usable having javascript disabled.
Chad
· 2 years ago
Let's hope the Mozilla guys already have a solution for this - this needs to be front and center in the next update if they don't. I'm guessing that this has been a hack for a while - actually kind of weird that this guy would make it public - he says he just wants links back to his site. As far as disabling JS goes, I use NoScript everyday, and I find the web very usable, I'm just not being used.
dre
· 2 years ago
Spyjax works via Javascript, but it can also work by using HTML. Turning Javascript off, or using NoScript will not help you from this attack.
My suggestion is to run the Stanford Anti-Phishing SafeHistory Firefox and LocalRodeo extensions.
Wodow
· 2 years ago
If you are using Firefox, this extension seems to solve the problem:
Some of the links return 404's but there is still good content about other types of querying. There is also a link to a related Firefox extensions called SafeCache.
chris messina
· 2 years ago
This is actually pretty old. As of last August, someone else was pushing around this trick. It's clever, but not that bigga'deal. Unless you disable the ability the differentiate :visited links, this hack will persist.
Kevin Burton
· 2 years ago
Bad news guys...... there is no fix.
There's a 3-4 year old bug filed in the Mozilla code base for this .... it can't be fixed because fixing it would break the fundamental way the web works.
Sorry :)
Sheep
· 2 years ago
Michel, I didn't even check, but I'm sure the script checks if links were visited, not which colour they happen to be. For all intents and purposes the amount of possible colours is limitless, plus it would probably more processor-intensive to check that.
Kevin Burton, I believe that this was filed already, but how could changing something in Mozilla software change the way the WWW works? If I write a piece of software that tries to interact with the WWW somehow, it won't change anything about it.
Anyway, it sounds to me this is a security issue with JavaScript and nothing else. Someone would need to remove support for checking link status (or whatever the proper name is) in there to really remove the vulnerability.
All Comments
Could that trick Spyjax?
Very evil either way.
My suggestion is to run the Stanford Anti-Phishing SafeHistory Firefox and LocalRodeo extensions.
http://safehistory.com/
http://crypto.stanford.edu/sameorigin/
Some of the links return 404's but there is still good content about other types of querying. There is also a link to a related Firefox extensions called SafeCache.
There's a 3-4 year old bug filed in the Mozilla code base for this .... it can't be fixed because fixing it would break the fundamental way the web works.
Sorry :)
For all intents and purposes the amount of possible colours is limitless, plus it would probably more processor-intensive to check that.
Kevin Burton, I believe that this was filed already, but how could changing something in Mozilla software change the way the WWW works?
If I write a piece of software that tries to interact with the WWW somehow, it won't change anything about it.
Anyway, it sounds to me this is a security issue with JavaScript and nothing else.
Someone would need to remove support for checking link status (or whatever the proper name is) in there to really remove the vulnerability.