Web security News - 10/04/06 More fun with CSS history

News

Web Server Security

Phishing

Database Security

Application Server Security

Library

Vulnerability Archive

Secure Development

Web Services

Pen Test

AJAX

Application Firewalls

Main -> Internet Security News

TOPIC'S

Advertising

Old News

About

Resume

Contact

FAQ

Irc

Links

Books

Demos

Papers

Downloads

Advisories

Contributions

Security Services

Submit News

Syndicated News

Hosting generously provided by

www.mv.com

10/04/06 More fun with CSS history

There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising.

You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you know these companies use www.ad1.com and www.ad2.com to serve up ads on. What you don't know is how effective these ads are, simply put without direct access to the web server logs you can't tell really. Well this isn't entirely true!

Lets say VisitorA visits your site www.sitea.com. You can use the CSS history stealing trick to see if they have visited www.siteb.com and/or www.sitec.com. If they've visited a competitor you'll know that this person is semi serious about whatever reason they're visiting your site for. Using the same CSS trick you could also enumerate a list of links (only enumerated if the link was visited) against each competitor website to see what they viewed on this site. This could include seeing which products/services they are interested in, if they visited the 'contact us' page and possibly if they also visited the 'thank you for submitting your data' (Letting you know they submitted a form). Now that you know where your visitor has been you can utilize the same trick on websites advertising your competitors to see where they came from. Why bother? Well now you know which ads are in fact paying off for them and can advertise with the same company.

A more elaborate example would be dynamically generating a discount if the current visitor has visited a competitor potentially winning a deal. I suspect this use of the CSS 'trick' is going to spread like wildfire for many of the obvious reasons above. This begs to ask the question is this legal?

UPDATED: 10/4/06

I was thinking of the uses of this regarding phishing. Say they followed my amazon phishing email, I can now track which banks they use and other websites to see which site I should phish next (a sort of victim profiling if you will). Even more interesting would be the creation of generic phishing emails bringing a user to a site, and dynamically generating a phishing site based off of the urls that they've actually visited. Hmmm need to think about this some more.

Link to this Story: 10/04/06 More fun with CSS history
Link: Have a Site Suggestion, Material Request, or News? Submit it!
News RSS Feed: Web Security news RSS Feed