Mashable - The Social Media Guide - Latest Comments in Spyjax: Your Browser History is Not Private!

Re: Spyjax: Your Browser History is Not Private!

Johnathan — Tue, 14 Aug 2007 00:10:58 -0000

Just run CCleaner, clears out the cache browser history etc.. and Its FREE... http://www.reviewingit.com/...

Re: Spyjax: Your Browser History is Not Private!

Sheep — Mon, 04 Jun 2007 11:26:46 -0000

Michel, I didn't even check, but I'm sure the script checks if links were visited, not which colour they happen to be.
For all intents and purposes the amount of possible colours is limitless, plus it would probably more processor-intensive to check that.

Kevin Burton, I believe that this was filed already, but how could changing something in Mozilla software change the way the WWW works?
If I write a piece of software that tries to interact with the WWW somehow, it won't change anything about it.

Anyway, it sounds to me this is a security issue with JavaScript and nothing else.
Someone would need to remove support for checking link status (or whatever the proper name is) in there to really remove the vulnerability.

Re: Spyjax: Your Browser History is Not Private!

Kevin Burton — Sat, 02 Jun 2007 02:39:02 -0000

Bad news guys...... there is no fix.

There's a 3-4 year old bug filed in the Mozilla code base for this .... it can't be fixed because fixing it would break the fundamental way the web works.

Sorry :)

Re: Spyjax: Your Browser History is Not Private!

Chris Messina — Sat, 02 Jun 2007 00:48:20 -0000

This is actually pretty old. As of last August, someone else was pushing around this trick. It's clever, but not that bigga'deal. Unless you disable the ability the differentiate :visited links, this hack will persist.

Re: Spyjax: Your Browser History is Not Private!

Anne H — Fri, 01 Jun 2007 23:56:21 -0000

Related to dre's and Wodow's suggestion above, people might like to check:

http://crypto.stanford.edu/...

Some of the links return 404's but there is still good content about other types of querying. There is also a link to a related Firefox extensions called SafeCache.

Re: Spyjax: Your Browser History is Not Private!

Wodow — Fri, 01 Jun 2007 19:47:46 -0000

If you are using Firefox, this extension seems to solve the problem:

http://safehistory.com/

Re: Spyjax: Your Browser History is Not Private!

dre — Fri, 01 Jun 2007 17:47:54 -0000

Spyjax works via Javascript, but it can also work by using HTML. Turning Javascript off, or using NoScript will not help you from this attack.

My suggestion is to run the Stanford Anti-Phishing SafeHistory Firefox and LocalRodeo extensions.

Re: Spyjax: Your Browser History is Not Private!

Chad — Fri, 01 Jun 2007 13:36:31 -0000

Let's hope the Mozilla guys already have a solution for this - this needs to be front and center in the next update if they don't. I'm guessing that this has been a hack for a while - actually kind of weird that this guy would make it public - he says he just wants links back to his site. As far as disabling JS goes, I use NoScript everyday, and I find the web very usable, I'm just not being used.

Re: Spyjax: Your Browser History is Not Private!

Bas — Fri, 01 Jun 2007 13:06:21 -0000

Like people would deactivate javascript because of this... like the web would be usable having javascript disabled.

Re: Spyjax: Your Browser History is Not Private!

Michel — Fri, 01 Jun 2007 10:10:11 -0000

Have you tried changing Firefox's configuration file to set browser.active_color, browser.anchor_color and browser.visited_color all to the same color?

Could that trick Spyjax?

Very evil either way.

Re: Spyjax: Your Browser History is Not Private!

Henri van den Hoof — Fri, 01 Jun 2007 08:29:31 -0000

Smart and worrisome concept. And if many people would disable their Javascript I would not get much analytical data from Google Analytics anymore for my website. Luckily I am also using Clicky in parallel with GA and which also supports non-javascript analytics. But still quite distressful..