Visited links and JavaScript: A privacy issue – Website owners can know websites you’ve visited before

By | August 17, 2012

JavaScript IconLock Icon

I recall reading an article several years ago about a privacy issue with regards to the difference in colours between visited links and unvisited links and that website owners can write some JavaScript to determine, based on certain differences between visited and unvisited hyperlinks, whether you have visited a website before. Of course this was (and still is) a privacy issue but some browsers have rectified what was previously a privacy issue by changing the way in which hyperlinks can be changed to prevent website owners from being able to determine whether a visitor has visited a certain website before. For example, Mozilla in 2010 had changed the way in which hyperlink colours can be fetched using JavaScript. In March 2010, a privacy engineer for Mozilla had announced that Firefox would in the near future be making some changes to “plug” the privacy issue by preventing layout-based, timing-based and computed style attacks. The most interesting looks to be timing-based attacks, as it isn’t the simplest form of determining hyperlinks that have already been visited by a visitor on a website that makes use of these flaws in order to understand what websites a visitor has visited before.

For users using older versions of Firefox, Internet Explorer or other browsers, it’s safe to assume websites can still use these kinds of methods to understand what websites you’ve visited before.

Why is it such an issue?

Well, it’s a flaw first and foremost and it needs to be fixed. If a website is going to find out as to what websites the user has visited before based on hyperlinks on the website that is different because the browser understands the user has visited those websites before, then the website should really be letting users know about their practices – not everyone would find it appealing that websites are snooping up information that to many is considered a privacy violation.

Furthermore, websites that do this may be snooping this information and storing it in a database and matching it against your IP address. The primary use for this is perhaps for advertising and marketing purposes; and by having this information they can display more targeted advertisements to you or even distribute this information to third parties – such as advertisers.

Of course, many people do not think it is much of a big issue, but there are equally people that think it is a privacy violation and that website owners should not be taking advantage of it to collect history information.

What has Mozilla changed to prevent this?

Layout-based Attacks – First and foremost, they have limited  as to what styling can be applied to visited links. Visited links can only be different in colour, background, outline, border, fill colours and SVG stroke. Mozilla states that other styling options either leak that the hyperlink has been visited before by “loading a resource or changing position or size of the styled content in the document”, which can otherwise be used to determine visited hyperlinks.

Timing-based Attacks – Mozilla will be changing “some of the guts of our layout engine to provide a fairly uniform flow of execution to minimize differences in layout time for visited and unvisited links”.

Computed Style Attacks – In Firefox, JavaScript is not going to have access to the same style data that it previously had access to. So when a website fetches the computed style of a visited hyperlink, Firefox will give it the style value of an unvisited hyperlink.

The privacy engineer at Mozilla had forewarned that these changes may make a few websites look a little different and “a few sites that use more than color to differentiate visited links may not slightly broken at first”. However, he acknowledged that “it’s the right trade-off to be sure we protect our users’ privacy.”
(Mozilla Blog)

About other browers.

If you’re running other browsers, it’s important to keep your browser up to date as other browsers may have followed suit after Mozilla had made changes to Firefox in March 2010. For all purposes and intents, running an outdated version of your browser is a security risk in itself – if you’re running Internet Explorer 6, 7 or 8 – you should update to Internet Explorer 9 (or whichever is the most stable version at a later point in time). If you’re running an older version of Firefox, you should update to the latest version. For Windows XP users, as of Firefox 14, XP is supported – because Internet Explorer 9 is not available for XP users, we recommend you opt for the latest stable version of Firefox.

Leave a Reply

Your email address will not be published. Required fields are marked *