<div class="gmail_quote">On Tue, Dec 15, 2009 at 4:40 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">At 9:40 AM -0800 12/15/09, John Panzer wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
long-standing hole in browsers that gives ~equivalent information to<br>
phishers, and this is not one I've heard of them using (perhaps you<br>
have). It's a good opportunity to look at what attack vectors this<br>
has enabled in the real world<br>
</blockquote>
<br>
</div><a href="http://www.azarask.in/blog/post/socialhistoryjs/" target="_blank">http://www.azarask.in/blog/post/socialhistoryjs/</a><div class="im"><br>
<a href="http://www.schillmania.com/random/humour/web20awareness/" target="_blank">http://www.schillmania.com/random/humour/web20awareness/</a><br>
</div><a href="http://www.niallkennedy.com/blog/2006/03/automatic-favor.html" target="_blank">http://www.niallkennedy.com/blog/2006/03/automatic-favor.html</a><br>
<a href="http://www.niallkennedy.com/blog/2008/02/browser-history-sniff.html" target="_blank">http://www.niallkennedy.com/blog/2008/02/browser-history-sniff.html</a><br>
<br>
This may be a less-than-thorough list, I'm just copying across from a bookmarks folder I retained about this particular exploit.<br>
<br>
<a href="http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html" target="_blank">http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html</a><br>
<a href="https://www.indiana.edu/~phishing/browser-recon/" target="_blank">https://www.indiana.edu/~phishing/browser-recon/</a></blockquote><div><br></div><div>Note that all of these except the last are about how to use this for useful purposes or just playing around; the last one is a theoretical note that says "this may be useful for phishing" but doesn't give a specific attack (that I can find -- the referenced paper may have something but it's very long).</div>
<div><br></div><div>Of course this is just absence of evidence. But so far no one has documented this vulnerability actually helping phishers, though it's been around for years and well documented for >1year. Since it depends on Javascript running on an open website, I'd think that it would be detected if the phishers were caught. Unless they are so clever that they have managed to do this without detection, of course. </div>
<div> </div><div>Not saying this isn't an issue, just saying it should be weighted appropriately when considering things like default settings for OPs.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
<br>
At 10:11 AM -0800 12/15/09, Breno de Medeiros wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't buy the CSS history stealing argument, that's all. CSS history<br>
stealing is essentially a cross-domain cookie API without user opt-out<br>
option. So I wonder how long before browsers turn off this 'feature'.<br>
</blockquote>
<br></div>
Stanford released a fix (Firefox addon) for it a few years ago; I don't expect browsers to integrate anything similar until we've shifted into full isolation mode (thread isolation for each tab is moving toward this, and single-site browsers have the right idea; give each site its own virtual environment and retrieve final data from *those* to interact with, allowing an extra layer of interpretation so the user can see colored links (and other data overlaid) that the remote site doesn't have any way to be aware of, unless the top/privileged layer specifically *opts in* to sending that data back down the chain), because we're currently at a fairly stable pattern as far as the convenience/security balance goes.<br>
<br>
-Shade<br>
</blockquote></div><br>