Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaks browser history from :visited color #34

Open
zcorpan opened this issue Mar 28, 2024 · 5 comments
Open

Leaks browser history from :visited color #34

zcorpan opened this issue Mar 28, 2024 · 5 comments

Comments

@zcorpan
Copy link

zcorpan commented Mar 28, 2024

From #13 (comment)

PoC: An image editor could provide an eyedropper, and when activated overlay the entire UI with a link with :visited { background-color: rgba(0, 0, 0, 0.05); }. When the user has picked a color, the page should know where the pointer is and therefore whether the link was visited.

Possible mitigation: Style all links as unvisited when the eyedropper is open? This would prevent some legitimate use cases (e.g., getting the color of a visited link when designing a website).
@zcorpan zcorpan mentioned this issue Mar 28, 2024
Open
@zcorpan
Copy link
Author

zcorpan commented Apr 3, 2024

w3c/csswg-drafts#3012 would address this.

@zcorpan zcorpan mentioned this issue Apr 3, 2024
Open
@emilio
Copy link

emilio commented Apr 3, 2024

Does this attack actually work? The alpha channel gets dropped on visited colours.

That's not my understanding of @upsuper's original comment. That was more (iiuc) something like telling the user "go click the purple text", in which the page doesn't know which of n links is visited, but the user does.

@zcorpan
Copy link
Author

zcorpan commented Apr 3, 2024

The alpha of :link will be used instead, but that can be almost-transparent and you can use a different background color to tell the difference with EyeDropper. PoC: https://software.hixie.ch/utilities/js/live-dom-viewer/saved/12527

@zcorpan
Copy link
Author

zcorpan commented Apr 3, 2024
edited
Loading

@upsuper's comment is a social engineering attack where the page can detect which link was clicked more simply with an event listener. The attack I described can be used as part of the user's normal workflow when using a web app where an eyedropper is normally used (e.g. image editor), and the web app can steal browser history information every time the user uses the eyedropper without them knowing.

The picked color will be slightly wrong, so it's possible that users would notice. Or maybe the webapp can post-process the picked color to undo the color change.

@upsuper
Copy link

upsuper commented Apr 3, 2024

By my original comment, what was in my mind is more like, having multiple semi-transparent links overlapping the same area, and guide user to pick color of that area and the page may be able to decode visited state from the color of all links inside. For example, we can have three links one uses red, one uses green, and the other uses for visited color, then the existence of color in each channel reveals visited state of all three links.

When the user has picked a color, the page should know where the pointer is and therefore whether the link was visited.

I don't think the API returns the pointer position. With mouse as input device, one may be able to observe mouse move event thereafter to have an approximation, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zcorpan @upsuper @emilio