09 Jun 2014

Tricking The User To Access Browser History Using A Pseudo-selector And Captchas

tl;dr: Recently TinSnail has provided a nice demonstration, using :visited pseudo-selector to trick the user into revealing his browser history. While interesting his small "game" was not something that could be commonly used against most users. I have tried to develop the idea tricking the user during its usage of captchas.


A few random tries

I did not read what was display on the project's GitHub README.MD, nor :visited documentation and tried to go quick and dirty:

  • Trying to read from the browser API what was the color displayed
  • Selecting the link matching the :visited pseudo selector through some dirty $(':visited');

But after a few tries I understood that :visited is a kind of edge case, a dirty one, and now my first opinion, is that, no matter how restricted the allowed uses of :visited, letting developers customize the user view according to the user's history is opening gates to malicious practices. An old practice from the first days of the web that is not making sense on a security standpoint.

Let's make a captcha

Then I started thinking that it was easy to make something that looks like a captcha (and could be a real one) but tricks the user to input values according to his browsing history. I spent a few tries building a captcha, playing with image opacity according to the visited status of the page.

Bad idea again... After reading carefully the manual, I came out with something which was really working. The trick lies mostly in a few line of CSS code that will make a letter visible or not depending on the browser history without playing with transparency (which is not authorized):

#captcha a {
    color: white;
}

#captcha a:visited {
    color: black;
}

The users sees a character only if he has visited a website in a context in which he is used to input what he sees on the screen.

Making it real

On GitHub, you will find a demonstration and the related source code.

Credits

Credits must of course be given to TinSnail for his nice proof of concept.


Fräntz Miccoli

This blog is wrapping my notes about software engineering and computer science. My main interests are architecture, quality and machine learning but content in this blog may diverge from time to time.

Ideas expressed are here to be challenged.

About me (outdated) Out Of The Comfort Zone Twitter