A clever hack to determine which sites you've visited

Aza Raskin has done it - he's written a piece of javascript that exploits a bug in CSS to determine where you've been on the web. He is positioning it as something useful, to show users only the social networking sites that they've visited to avoid "badge blindness". And it is useful. But it's also an invasion of privacy.

First, how it works. Basically, if you read the script he creates a new iframe, writes a bunch of URLs into it, setting some style attributes if it has or has not been visited. He then checks the style of each URL node. Pretty simple. Ordinarily you cannot tell what the style is of a visited link, because it would be a privacy concern. But Aza got around it.

Second, how to defeat it. The bottom line is that the only way is to disable your browser history. You could specifically defeat this script with a bit of Greasemonkey, but a) most people won't bother and b) even if they did it would be easy to counteract.

I would guess that we'll be seeing a patch from the browser vendors soon.

No comments: