Privacy Risk: JavaScript Reveals Past Visited Links

August 17, 2012 / JavaScript

I recall reading an article several years ago about a privacy issue with regard to the difference in colors between visited links and unvisited links and that website owners can write some JavaScript to determine, based on certain differences between visited and unvisited hyperlinks, whether you have visited a website before.

Of course, this was (and still is) a privacy issue but some browsers have rectified what was previously a privacy issue by changing the way in which hyperlinks can be altered to prevent website owners from being able to determine whether a visitor has visited a particular website before.

For example, Mozilla 2010 changed the way in which hyperlink colors can be fetched using JavaScript. In March 2010, a privacy engineer for Mozilla announced that Firefox would in the near future be making some changes to “plug” the privacy issue by preventing layout-based, timing-based, and computed style attacks.

The most interesting looks to be timing-based attacks, as it isn’t the simplest form of determining hyperlinks that have already been visited by a visitor on a website that makes use of these flaws in order to understand what websites a visitor has seen before.

For users using older versions of Firefox, Internet Explorer, or other browsers, it’s safe to assume websites can still use these kinds of methods to understand what websites you’ve visited before.

Why is it such an issue?

Well, it’s a flaw first and foremost and it needs to be fixed. If a website is going to find out what websites the user has visited before based on hyperlinks on the website that is different because the browser understands the user has visited those websites before, then the website should really be letting users know about their practices – not everyone would find it appealing that websites are snooping up information that too many is considered a privacy violation.

Furthermore, websites that do this may be snooping on this information and storing it in a database, and matching it against your IP address. The primary use for this is perhaps for advertising and marketing purposes, and by having this information they can display more targeted advertisements to you or even distribute this information to third parties – such as advertisers.

Of course, many people do not think it is much of a big issue, but there are equally people that think it is a privacy violation and that website owner should not be taking advantage of it to collect historical information.

What has Mozilla changed to prevent this?

Layout-based Attacks – First and foremost, they have limited as to what styling can be applied to visited links. Visited links can only be different in color, background, outline, border, fill colors, and SVG stroke. Mozilla states that other styling options either leak that the hyperlink has been visited before by “loading a resource or changing position or size of the styled content in the document”, which can otherwise be used to determine visited hyperlinks.

Timing-based Attacks – Mozilla will be changing “some of the guts of our layout engine to provide a fairly uniform flow of execution to minimize differences in layout time for visited and unvisited links”.

Computed Style Attacks – In Firefox, JavaScript is not going to have access to the same style data that it previously had access to. So when a website fetches the computed style of a visited hyperlink, Firefox will give it the style value of an unvisited hyperlink.

The privacy engineer at Mozilla had forewarned that these changes may make a few websites look a little different and “a few sites that use more than color to differentiate visited links may not slightly break at first”.

About other browsers.

If you’re running other browsers, it’s important to keep your browser up to date as other browsers may have followed suit after Mozilla made changes to Firefox in March 2010. For all purposes and intents, running an outdated version of your browser is a security risk in itself – if you’re running Internet Explorer 6, 7, or 8 – you should update to Internet Explorer 9 (or whichever is the most stable version at a later point in time).

If you’re running an older version of Firefox, you should update to the latest version. For Windows XP users, as of Firefox 14, XP is supported – because Internet Explorer 9 is not available for XP users, we recommend you opt for the latest stable version of Firefox.

Leave a Reply

Your email address will not be published. Required fields are marked *