hackademix.net

Dear Adblock Plus and NoScript Users, Dear Mozilla Community

Synchronizing NoScript Configuration Using Weave or XMarks

23 Responses to “Start Panicking!”

1. #1 Ben says:
   May 8th, 2009 at 10:19 pm

   Is there some workaround other than using a wireless connection?

2. #2 Giorgio says:
   May 8th, 2009 at 10:25 pm

   @Ben:
   what does make you believe a wireless connection is a workaround?

   For this very PoC, based on JavaScript, NoScript is enough a workaround.

   But since it's possible, even though slow and unpractical, performing the same trick without using JavaScript, the only full-blown protection is SafeHistory.

3. #3 Simon says:
   May 8th, 2009 at 10:28 pm

   Easy fix: Only surf in Private Browsing mode (or toggle the pref layout.css.visited_links_enabled in about:config). No need for NoScript, just the latest and greatest Firefox Beta...

4. #4 Giorgio says:
   May 8th, 2009 at 10:41 pm

   @Simon:
   I'd still prefer a SafeHistory-like solution, since both Private Browsing and the visit_link_enabled setting globally cripple my navigation experience, by disabling history feedback.

5. #5 Ben says:
   May 8th, 2009 at 11:06 pm

   Duh, because wireless is encrypted.

   Sorry if it is lame to set myself up for a joke. I was bored on a Friday afternoon.

6. #6 nick says:
   May 8th, 2009 at 11:21 pm

   quite a comprehensive list of domains:

   http://startpanic.com/db/db_en.txt

7. #7 Giorgio says:
   May 8th, 2009 at 11:33 pm

   @nick,
   booh, mine are all missing :(

8. #8 AndersH says:
   May 8th, 2009 at 11:54 pm

   Why would the same be "slow and unpractical"? It seems to me,that it would perhaps be faster:
   [style]
   #urllist a { display:none; }
   #urllist a:visited { display:block; }
   [/style]
   [div id='urllist']
   [a href='http://google.com/' style='background:url(url?google.com)'][/a]
   [a href='http://www.google.com/' style='background:url(url?www.google.com)'][/a]
   [a href='http://yahoo.com/' style='background:url(url?yahoo.com)'][/a]
   [a href='http://www.yahoo.com/' style='background:url(url?www.yahoo.com)'][/a]
   [/div]

9. #9 Nan M says:
   May 9th, 2009 at 10:15 am

   @nick #6, :
   It's just about the whole of the Web, isn't it. ;-)
   Sorry Prof, your empire-building is hopeless ;-)

10. #10 Steve says:
    May 9th, 2009 at 11:24 am

    I seriously can't get any results other then

    "
    Here we go!
    startpanic.com
    "

    I tried Safari first as it's my main browser. Result was above. I thought that I was not getting any result then above because I changed file flags for directories where Safari would store cookies, cache, bookmarks, history and where flash cookies are stored so no data could be written in those directories. (sudo chflags uchg,schg /foo) So I tried FireFox and I still get the same result. NoScript and CookieSafe both disabled. I didn't set file flags for in directories FireFox uses.

11. #11 Otto de Voogd says:
    May 9th, 2009 at 12:24 pm

    You don't need JavaScript to exploit this:
    http://ha.ckers.org/weird/CSS-history.cgi

    Any exploit though has to try to guess sites/urls where you might have been.

12. #12 Giorgio says:
    May 9th, 2009 at 2:16 pm

    @Otto de Voodg:

    Of course you can do it script-less, as I said in my comment #2, but it's too slow and resource-intensive to be practical outside PoCs.

    And you're obviously correct, the attacker can test if you've visited certain sites, rather than enumerating all your history, but in many scenarios (e.g. guessing if you're an user of a certain bank service before trying a focused phishing attack or checking if you visit certain "subversive" resources before raiding your home with a terrorist charge) this is dangerous enough.

13. #13 Чтение истории посещений с помощью CSS | Raz0r.name — блог о web-безопасности says:
    May 9th, 2009 at 3:55 pm

    [...] написание этой небольшой заметки меня подтолкнул пост в блоге автора плагина NoScript о ресурсе с [...]

14. #14 GµårÐïåñ says:
    May 9th, 2009 at 11:30 pm

    Giorgio, I love SafeHistory but the problem is that it has not been updated for a long while and it causes some issues in Fx 3 but for me NoScript seems to be pretty effective and the fact that I don't maintain a history at all.

15. #15 Dom says:
    May 10th, 2009 at 4:39 am

    Will the Firefox fix have the same functionality as SafeHistory?

16. #16 sirdarckcat says:
    May 10th, 2009 at 8:38 am

    I like CSSH more.. haha we can crawl which links you entered in each website.

    http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php

    Greetz!!

17. #17 Basti says:
    May 10th, 2009 at 9:07 am

    I used SafeHistory before, but it's not compatible with Firefox 3. I know how to patch it, but I don't think it's a good idea. Does any one know an alternative?

18. #18 Giorgio says:
    May 10th, 2009 at 2:21 pm

    @AndreH:

    curl http://startpanic.com/db/db_en.txt | wc -l
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 1386k  100 1386k    0     0   117k      0  0:00:11  0:00:11 --:--:--  133k
    100000
    

    As you can see there are 100,000 domains in that list, for more than 1MB file size, which you're proposing to turn in server-side generated styled links to be downloaded.
    Consider also that a scriptless approach requires one separate HTTP request (and database write) for each single domains found in history, while with JavaScript you can coalesce the logging in one single request/write.
    So I can hardly imagine an attacker preferring the scriptless way over the JavaScript one in a real world scenario, aside very motivated targeted attacks against a specific NoScript user.

    @Dom:

    Will the Firefox fix have the same functionality as SafeHistory?

    Nope. If you look at the bug report, you'll find I repeatedly suggested that was the right approach, however the current "solution" breaks the :visited functionality entirely and therefore is obviously disabled by default.

    @Basti:
    I heard of a compatible beta, but I can't find it right now.
    There's no alternative, I'm afraid.

19. #19 A bug in Firefox can detect which sites you have visited - profirefox.org says:
    May 11th, 2009 at 2:31 pm

    [...] Mozilla is already working on this bug. [via Giorgio Maone's blog] [...]

20. #20 Nilesh says:
    May 13th, 2009 at 7:38 am

    Hi Giorgio,

    When I cleared the history of Mozilla FF, visiting on startpanic.com didn't yield any result. The bug lifts information about visited website from the history. Isn't it? Is IE also susceptible? My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?

21. #21 Giorgio says:
    May 13th, 2009 at 7:21 pm

    @Nilesh:

    The bug lifts information about visited website from the history. Isn’t it?

    Yes. More precisely, attackers can tell if a certain URL is present in your history or not (they're using a list of 100,000 to be impressive).

    Is IE also susceptible?

    Of course it is. Every modern browser susceptible.

    My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?

    Because its JavaScript interpreter sucks?

22. #22 rvdh says:
    June 6th, 2009 at 12:26 pm

    fuck this is ..what.. 3 years old news? am I the only one without amnesia or what?

23. #23 Giorgio says:
    June 7th, 2009 at 11:38 am

    @rvdh:
    Did you notice the OP starts with "Nothing new" linked to a... what? ... 3 years old article? :P