WingNews logo WingNews GitHub [2]
top | item 7855168

Who am I: A mind reader (don't forget to view source)

583 points| alloyed | 11 years ago |tinsnail.neocities.org | reply

168 comments

order
[+] mbrubeck|11 years ago|reply
Here's the same exploit disguised as a game, to make it less obvious that it's tricking the user into interacting with it: http://lcamtuf.coredump.cx/yahh/

Documentation of the game proof-of-concept: http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashio...

[+] Fuxy|11 years ago|reply
Cool. That is a neat trick/exploit never heard of it before.

Thx. for the links.

[+] dzhiurgis|11 years ago|reply
My first idea was clickjacking and social networks, but that probably is impossible.
[+] maaarghk|11 years ago|reply
That's really good, and a very informative forum post!
[+] shurcooL|11 years ago|reply
Reminds me of that hunter2 password thing. http://www.bash.org/?244321

Basically, the website doesn't know which of the squares are red, that depends on your browser state. By clicking the red squares, you're feeding it data.

The interesting observation I made out of this is that navigating there in an incognito window prevents any links from being considered as visited. That's good to know.

[+] keerthiko|11 years ago|reply
I could probably post a similar gizmo on HN with a results static page that says

Your interests are: (some subset of) Programming Science Technology Games <random other thing: Sports, TV, childcare, etc>

With literally no scripting, and everyone would find it "reasonably accurate" :D

[+] espadrine|11 years ago|reply
> Your interests are: (some subset of) Programming Science Technology Games <random other thing: Sports, TV, childcare, etc>

Me being me, I clicked on random grey squares. I got exactly that.

There is a selection bias from the choice of URLs it provides.

[+] mdup|11 years ago|reply
At first, I thought the OP had done exactly that!
[+] joev_|11 years ago|reply
Heh. I clicked a few before I realized what was going on (looking at the status bar shows the link, which somewhat gives it away). You could prevent this by adding mouseover/out and onclick logic that removed the :href on hover and just colored itself red.
[+] asadlionpk|11 years ago|reply
but i guess then it won't be red on hover.
[+] lewisflude|11 years ago|reply
This was really accurate to me. It seems they're using a:visited on several domains to create the "red square" effect.
[+] cynwoody|11 years ago|reply
Yes.

And the only reason you have to click the red squares is to let it know which ones are red. If you try to look up the color of a square using GetComputedStyle, it always comes back gray. That was the resolution of privacy Bug 147777† (":visited support allows queries into global history").

https://bugzilla.mozilla.org/show_bug.cgi?id=147777

[+] lrichardson|11 years ago|reply
Question:

I know that the `:visited` exploit is handled by the browsers so that you can't figure out by javascript what is going on...

but what if you used just CSS to figure it out? For instance, what if you generated the CSS which had a unique image it requested via the `background-image` property, stored the data on the server, then just requested the data from the server after the fact?

Do the browsers prohibit the usage of url-based css properties on CSS selectors with `:visited` or something? Does anyone have a link/reference to how the exploits were patched up?

[+] megablast|11 years ago|reply
Could your draw the screen, then save that as a screenshot, and analyse the image?
[+] tomasien|11 years ago|reply
This just solved a huge problem I've been struggling with. This is beautiful - I don't actually want to know the information I've been trying to access, but it will make the experience better for the user. I now realize I don't HAVE to know - the browser knows, and that's all that matters. I just have to teach the browser what to do.
[+] Conlectus|11 years ago|reply
Original creator here. I'm super surprised to see this posted here.

I can answer any questions people have.

[+] analog31|11 years ago|reply
For those of us who don't know Javascript, I'll just ask in broad terms: What is it, how's it work, what's it do?
[+] lurkinggrue|11 years ago|reply
I'm not incognito mode but it didn't work for me.

Kinda weird.

[+] krat0sprakhar|11 years ago|reply
If nothing else, I did get a good list of Programming and Engineering websites :D - http://pastebin.com/zrQ7EBnP
[+] schme|11 years ago|reply
This is OT, trivial and a bit silly: How did you intend the json file? I tried with sublime but couldn't find anything to solve it. Didn't start an IDE for this.
[+] ianamartin|11 years ago|reply
I know, right? 10,000-ish ways to waste time at work.
[+] danbruc|11 years ago|reply
Obvious question - how was the list of URLs compiled? Some are really specific like YouTube channels. On the other hand there are only 15 categories and there are probably a lot of people that would not get a single match or only something very generic like Wikipedia.
[+] Conlectus|11 years ago|reply
Creator here. The links were gathered by searching feedlys feed suggestions for different topics.
[+] yzzxy|11 years ago|reply
The coolest way would be cold, hard natural selection from Alexa top sites, possibly with weighting placed to relevant sites at the introduction of the dataset. Perhaps I will fork.
[+] tomblomfield|11 years ago|reply
fivethirtyeight.com appears about a dozen times for me?
[+] 3rd3|11 years ago|reply
Couldn't one simply make a display:none on normal links and display:block on :visited, then stack them all on top each other with position:absolute and catch mouse events from each element via JS?
[+] heycam|11 years ago|reply
Browsers have a very limited set of properties that they allow in :visited rules, and display isn't one of them.
[+] mataug|11 years ago|reply
This is quite clever. By the way now I've got a nice list of blogs/websites that I should probably read for various topics.
[+] rdrey|11 years ago|reply
I was also thinking of using it as a bookmarks site. :)
[+] krrishd|11 years ago|reply
If you open the console and run this script, it'll click every single square, giving a list of the most common types of sites in the array being used:

     for(i=0;i<$$('a').length;i++) {
       $$('a')[i].click()
     }
[+] PurplePanda|11 years ago|reply
I had to change it to start at i=1 to avoid clicking on the link to github and leaving the page
[+] SahAssar|11 years ago|reply
I remember reading about the old CSS history hack (an automated variation of the same theme), which worked until FF4 and IE9.

It's quite interesting to see how such a seemingly simple feature (a:visited) can completely override user privacy if not accounted for.

[+] irises_come|11 years ago|reply
Hm. Do you really need interaction at all?

Can't you just :visited { margin/pos/whatever }, then probe the dom on that or related elems to extract the juice? Or have browser vendors thought of this?

[+] gburt|11 years ago|reply
This is a very old attack that has numerous security measures to prevent you from doing that now.
[+] siddboots|11 years ago|reply
I remember there being a long string of attacks related to hooks of this kind, but as far as I know it is no longer a problem at all.

It's a good example of just how difficult browser security is.

[+] borkabrak|11 years ago|reply
The page itself can't tell what color the squares(links) are rendered as to the user. That's what the clicking is for. Mwaahaha...
[+] Xeroday|11 years ago|reply
Was on incognito and wondering why I didn't see any red squares...
[+] mataug|11 years ago|reply
That is, I am guessing, because there aren't any re-marketing cookies,history and other markers when you open the page in incognito
[+] MrJagil|11 years ago|reply
Interesting.

At first I thought it would deduct information about me by analysing which squares I'd choose in what order and through other metrics like pacing.

[+] cornholio|11 years ago|reply
"Could not determine interests. (Pssst, If you did not get any red squares, try visiting without being in Private or Incognito mode)"

Indeed I am unhackable.