tl;dr: Recently TinSnail has provided a nice
demonstration, using :visited
pseudo-selector to trick the user into revealing his browser
history. While interesting his small “game” was not something that could be
commonly used against most users. I have tried to develop the idea
tricking the user during its usage of captchas.
A few random tries
I did not read what was display on the project’s
GitHub README.MD,
nor :visited documentation and tried to go quick and dirty:
- Trying to read from the browser API what was the color displayed
- Selecting the link matching the
:visitedpseudo selector through some dirty$(':visited');
But after a few tries I understood that :visited is a kind of edge case,
a dirty one, and now my first opinion, is that, no matter how restricted the
allowed uses of :visited, letting developers customize the user view
according to the user’s history is opening gates to malicious practices. An
old practice from the first days of the web that is not making sense on a
security standpoint.
Let’s make a captcha
Then I started thinking that it was easy to make something that looks like a captcha (and could be a real one) but tricks the user to input values according to his browsing history. I spent a few tries building a captcha, playing with image opacity according to the visited status of the page.
Bad idea again… After reading carefully the manual, I came out with something which was really working. The trick lies mostly in a few line of CSS code that will make a letter visible or not depending on the browser history without playing with transparency (which is not authorized):
#captcha a {
color: white;
}
#captcha a:visited {
color: black;
}
The users sees a character only if he has visited a website in a context in which he is used to input what he sees on the screen.
Making it real
On GitHub, you will find a demonstration and the related source code.
Credits
Credits must of course be given to TinSnail for his nice proof of concept.
