In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.
This attack is not equivalent to being able to steal a user’s entirehistory. In this case, the attacker only has the ability to querywhether the user has seen a specific site. This attack could be used bycompanies trying to profile the interests of visitors for targetedadvertising, merchants checking to see which competitors a visitor totheir site has visited, or for other more devious information-gatheringtasks. This sort of attack could be used by phishers to identify whichbanks a user frequents and use that information to send targetedphishing attacks.
This interesting type of breach in privacy results from thebrowser’s ability to access its own history and use that information tomodify the pages displayed. CSS is a powerful tool for Web design, butsince it can be used to create conditional logic based on automaticinput from the browser, it can also lead to this type of attack. Oneway to prevent this attack is to use the Firefox plug-in SafeHistory.The paper Protecting browser state from web privacy attacks by Jackson et al. discusses further ramifications of this CSS design decision and possible ways to protect against it.