Home > General Web Security > What are you sharing? – Browser History Scraping

What are you sharing? – Browser History Scraping

The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct banking business, any day, any time.

-FDIC, Safe Internet Banking

Anytime you visit a website, you’re providing the oppurtunity for that website to discover a lot of information about yourself.  Cross-site scripting (XSS) vulnerabilities in websites could allow a malicious 3rd party site to gain access to your email, your Facebook account, your bank account, credit cards, etc.  Security vulnerabilities in browsers, link handlers, embedded media players, and other software could be used to compromise your local machine and monitor everything you do in the background.

Even if all the security vulnerabilites across the Internet were somehow fixed, the conveniences browsers offer you by design still create the potential for misues and abuse.  All of the main browsers save some sort of browsing history.  They also will provide the ability for a website you visit to change the color of visited links.  By creating a page that has a list of links, and then iterating through them to see what color they are, you can find out what sites that computer visits.

Your browsing history is likely to show whether you use MySpace or Facebook, Google or Yahoo, which bank you use, what sites you shop at, what YouTube videos you’ve watched, etc.  This information could be used for your benefit, like linking an address to your preferred mapping website.  It could also be used for marketing research, or to get enough information to make a good social engineering request to get even more information.

This isn’t considered a security vulnerability, it’s part of the design of the Internet.  As such, the use of anti-spyware and anti-virus software will do nothing to protect you.  There are no files you have to install, no popus you have to allow or deny.  You unknowingly provide all of this information by simply viewing a web page.

To protect yourself from this, one of the best options is to eiter turn off or clear your browser history regularly.  With the many browser security vulnerabilities that exist, even better practice is to use a separate browser than what you normally use to visit sites that contain sensitive information, like your bank.

For a quick demonstration of this concept in action, visit http://www.whoismybank.com.  This site does not store any of your information.

References:

http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

http://www.cs.indiana.edu/~sstamm/projects/recon/

Categories: General Web Security
  1. No comments yet.
  1. No trackbacks yet.