(Press-News.org) The Web surfing history saved in your Web browser can be accessed without your permission. JavaScript code deployed by real websites and online advertising providers use browser vulnerabilities to determine which sites you have and have not visited, according to new research from computer scientists at the University of California, San Diego.
The researchers documented JavaScript code secretly collecting browsing histories of Web users through "history sniffing" and sending that information across the network. While history sniffing and its potential implications for privacy violation have been discussed and demonstrated, the new work provides the first empirical analysis of history sniffing on the real Web.
"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes," said UC San Diego computer science professor Hovav Shacham.
The computer scientists from the UC San Diego Jacobs School of Engineering presented this work in October at the 2010 ACM Conference on Computer and Communications Security (CCS 2010) in a paper entitled, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications".
History Sniffing
History sniffing takes place without your knowledge or permission and relies on the fact that browsers display links to sites you've visited differently than ones you haven't: by default, visited links are purple, unvisited links blue.
History sniffing JavaScript code running on a Web page checks to see if your browser displays links to specific URLs as blue or purple.
History sniffing can be used by website owners to learn which competitor sites visitors have or have not been to. History sniffing can also be deployed by advertising companies looking to build user profiles, or by online criminals collecting information for future phishing attacks. Learning what banking site you visit, for example, suggests which fake banking page to serve up during a phishing attack aimed at collecting your bank account login information.
"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack," said UC San Diego computer science professor Sorin Lerner.
The latest versions of Firefox, Chrome, and Safari now block the history sniffing attacks the computer scientists monitored. Internet Explorer, however, does not currently defend against history sniffing. In addition, anyone using anything but the latest versions of the patched browsers is also vulnerable.
Sniffing out History Sniffing
"We built a dynamic data flow engine for JavaScript to track history sniffing in the wild. I don't know of any other practical tool that can be used to do this kind of extensive study," said Dongseok Jang, the UC San Diego computer science Ph.D. student who developed the JavaScript monitoring technology. The researchers plan to broaden their work and study what information is being leaked by applications on social media and other Web 2.0 sites.
The computer scientists looked for history sniffing on the front pages of the top 50,000 websites, according to Alexa global website rankings. They found that 485 of the top 50,000 sites inspect style properties that can be used to infer the browser's history. Out of 485 sites, 63 transferred the browser's history to the network. "We confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100," the UC San Diego computer scientists write in the CCS 2010 paper: http://cseweb.ucsd.edu/~hovav/papers/jjls10.html
Table 1 in the paper outlines the websites the computer scientists found that performed history sniffing during the data collection period. In some cases, the websites created their own history sniffing systems. In other cases, advertisements served by outside companies contained JavaScript code performing the history sniffing.
History Sniffing in Perspective
The computer scientists say that history sniffing does not pose as great a risk to your privacy or identity as malicious software programs (malware) that can steal your banking information or your entire Facebook profile. But, according to Shacham, "history sniffing is unusual in effectively allowing any site you visit to learn about your browsing habits on any other site, regardless if the two sites have any business relationship."
"I think people who have updated or switched browsers should now worry about things other than history sniffing, like keeping their Flash plug-in up to date so they don't get exploited. But that doesn't mean that the companies that have engaged in history sniffing for the currently 60 percent of the user population that is vulnerable to it should get a free pass," said Shacham.
Tracking History Sniffing
The UC San Diego history-sniffing detection tool analyzes the JavaScript running on the page to identify and tag all instances where the browser history is being checked. The way the system tags each of these potential history tracking events can be compared to the ink or paint packets that banks add to bags of money being stolen.
"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that. Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on," explained Lerner. The computer scientists only considered it history sniffing when the browser history information was sent over the network to a server.
"We detected when browser history is looked at, collected on the browser and sent on the network from the browser to their servers. What servers then do with that information is speculation," said Lerner.
The "paint" tracking approach to monitoring JavaScript could be useful for more than just history sniffing, Lerner explained. "It could be useful for understanding what information is being leaked by applications on Web 2.0 sites. Many of these apps use a lot of JavaScript."
INFORMATION:
Dongseok Jang, Ranjit Jhala, Sorlin Lerner, and Hovav Shacham. "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications." In A. Keromytis and V. Shmatikov, eds., Proceedings of CCS 2010, pages 270. ACM Press, Oct. 2010.
The computer scientists have a National Science Foundation (NSF) trustworthy computing grant on java script and Web security that is funding related work.
Your Web surfing history is accessible (without your permission) via JavaScript
UC San Diego computer scientists provide first empirical analysis of history sniffing on the real Web
2010-12-04
ELSE PRESS RELEASES FROM THIS DATE:
Graptolite fauna indicates the beginning of the Kwangsian Orogeny
2010-12-04
Our research at the State Key Laboratory of Palaeobiology and Stratigraphy, Nanjing Institute of Geology and Palaeontology, has shown, based on a refined division and correlation of the graptolite-bearing strata in southern Jiangxi, China, that the Kwangsian Orogeny commenced in the early Katian Age of the Late Ordovician. Because of its significant research value, this study is published in Issue 11 of Science China Earth Sciences.
An angular unconformity separating the Lower-Middle Devonian and underlying strata is widespread in the Zhujiang region of South China, and ...
India launch of food security report focuses on rice
2010-12-04
Mumbai, India – The International Rice Research Institute (IRRI) and the Asia Society launched a new food security report for Asia in Mumbai today, calling for increased investment in rice research.
The report, Never an empty bowl: sustaining food security in Asia, emphasizes the importance of rice as the primary staple food in Asia and a major source of income for Asian farmers. Existing global efforts to combat hunger and achieve food security are evaluated in the report, which also recommends more research on: climate change mitigation for farming, farming infrastructure, ...
Smashing fluids: The physics of flow
2010-12-04
VIDEO:
Hit it hard and it will fracture like a solid, but tilt it slowly and it will flow like a fluid. This is the intriguing property of a type of...
Click here for more information.
The new findings will be highly useful to the manufacturing industry because the processing and dispensing of everyday products like toothpaste, cosmetics, pharmaceuticals and foodstuffs depends on an understanding of the physical properties and behaviours of these fluids.
The research ...
What can ice reveal about fire?
2010-12-04
Scientists studying a column of Antarctic ice spanning 650 years have found evidence for fluctuations in biomass burning--the consumption of wood, peat and other materials in wildfires, cooking fires and communal fires--in the Southern Hemisphere.
The record, focused primarily on carbon monoxide (CO), differs substantially from the record in the Northern Hemisphere, suggesting changes may be necessary for several leading climate models.
The research appears in Science on Dec. 2, 2010, in an early online release.
The scientists studied variations in stable (non-radioactive, ...
New report summarizes key themes in American doctoral education
2010-12-04
A new report recently released by the National Science Foundation, titled "Doctorate Recipients from U.S. Universities: 2009," presents a statistical overview of the U.S. doctoral education system in snapshots and long-term trends.
It notes the American system of doctoral education is widely considered the world's best, as evidenced by the large number of international students who choose to pursue a doctorate at U.S. universities. But this status is subject to the many factors that shape U.S. doctoral education.
"Given the increased global engagement and economic prosperity ...
Researchers create high performance infrared camera based on type-II InAs/GaSb superlattices
2010-12-04
Researchers at Northwestern University have created a new infrared camera based on Type-II InAs/GaSb superlattices that produces much higher resolution images than previous infrared cameras.
Created by Manijeh Razeghi, Walter P. Murphy Professor of Electrical Engineering and Computer Science, and researchers in the Center for Quantum Devices in the McCormick School of Engineering and Applied Science, the long wavelength infrared focal plane array camera provides a 16-fold increase in the number of pixels in the image and can provide infrared images in the dark. Their ...
Researchers create new high-performance fiber
2010-12-04
Researchers at Northwestern University have nanoengineered a new kind of fiber that could be tougher than Kevlar.
Working in a multidisciplinary team that includes groups from other universities and the MER Corporation, Horacio Espinosa, James N. and Nancy J. Farley Professor in Manufacturing & Entrepreneurship at the McCormick School of Engineering and Applied Science, and his group have created a high performance fiber from carbon nanotubes and a polymer that is remarkably tough, strong, and resistant to failure. Using state-of-the-art in-situ electron microscopy testing ...
The gene-environment enigma
2010-12-04
Personalized medicine centers on being able to predict the risk of disease or response to a drug based on a person's genetic makeup. But a study by scientists at Washington University School of Medicine in St. Louis suggests that, for most common diseases, genes alone only tell part of the story.
That's because the environment interacts with DNA in ways that are difficult to predict, even in simple organisms like single-celled yeast, their research shows.
"The effects of a person's genes – and, therefore, their risk of disease – are greatly influenced by their environment," ...
Preventing physician medication mix-ups by reporting them
2010-12-04
INDIANAPOLIS – The most frequent contributors to medication errors and adverse drug events in busy primary care practice offices are communication problems and lack of knowledge, according to a study of a prototype web-based medication error and adverse drug event reporting system.
Research on the use of MEADERS (Medication Error and Adverse Drug Event Reporting System), developed by investigators from the Regenstrief Institute and Indiana University School of Medicine led by Atif Zafar, M.D., appears in the November/December 2010 issue of the Annals of Family Medicine.
"We ...
Albert Einstein College of Medicine helps address need for improved cancer care in rural America
2010-12-04
December 2, 2010 – (BRONX, NY) – Nearly a quarter of Americans live in rural areas, which consistently report higher cancer mortality rates than urban and suburban areas. Among the complex causes for this disparity is that only 10 percent of physicians practice in rural areas and almost 4 out of 10 rural residents live at least an hour from an urban area. Finding the time, transportation, and financial resources for travel to urban academic medical centers, the standard bearers for quality cancer care, often proves difficult. Most rural residents have their cancer treated ...
LAST 30 PRESS RELEASES:
How can we reduce adolescent pregnancies in low- and middle-income countries?
When sun protection begets malnutrition: vitamin D deficiency in Japanese women
Cannabis use can cause chromosomal damage, increasing cancer risk and harming offspring
Survey finds many Americans apply misguided and counterproductive advice to combat holiday weight gain
New study reveals half a century of change on Britain’s iconic limestone pavements
Green flight paths could unlock sustainable aviation, new research suggests
Community partners key to success of vaccine clinic focused on neurodevelopmental conditions
Low-carbon collaborative dual-layer optimization for energy station considering joint electricity and heat demand response
McMaster University researchers uncover potential treatment for rare genetic disorders
The return of protectionism: The impact of the Sino-US trade war
UTokyo and NARO develop new vertical seed distribution trait for soybean breeding
Research into UK’s use of plastic packaging finds households ‘wishcycle’ rather than recycle – risking vast contamination
Vaccine shows promise against aggressive breast cancer
Adverse events affect over 1 in 3 surgery patients, US study finds
Outsourcing adult social care has contributed to England’s care crisis, argue experts
The Lancet: Over 800 million adults living with diabetes, more than half not receiving treatment, global study suggests
New therapeutic approach for severe COVID-19: faster recovery and reduction in mortality
Plugged wells and reduced injection lower induced earthquake rates in Oklahoma
Yin selected as a 2024 American Society of Agronomy Fellow
Long Covid could cost the economy billions every year
Bluetooth technology unlocks urban animal secrets
This nifty AI tool helps neurosurgeons find sneaky cancer cells
Treatment advances, predictive biomarkers stand to improve bladder cancer care
NYC's ride-hailing fee failed to ease Manhattan traffic, new NYU Tandon study reveals
Meteorite contains evidence of liquid water on Mars 742 million years ago
Self-reported screening helped reduce distressing symptoms for pediatric patients with cancer
Which risk factors are linked to having a severe stroke?
Opening borders for workers: Abe’s profound influence on Japan’s immigration regime
How skills from hospitality and tourism can propel careers beyond the industry
Research shows managers of firms handling recalls should review media scrutiny before deciding whether to lobby
[Press-News.org] Your Web surfing history is accessible (without your permission) via JavaScriptUC San Diego computer scientists provide first empirical analysis of history sniffing on the real Web