evercookie icon indicating copy to clipboard operation
evercookie copied to clipboard

Published 20 hours ago verified publisher icon samyk

CSS history knocking / leak fixed?

Open mikeg-de opened this issue 7 years ago • 4 comments

Obtaining the computed color of visited links seems to be fixed back in 2010: http://stackoverflow.com/questions/5394099/detect-visited-link-in-chrome

Visited colors may be visible but the standard value is retrieved / provided by the browser.

mikeg-de avatar Jul 07 '16 10:07 mikeg-de

True. It is still possibly exploitable and I'm open to suggestions or updates. HSTS is also worth looking into, although there have been some fixes there too: https://github.com/diracdeltas/sniffly

samyk avatar Jul 07 '16 11:07 samyk

I have tried it with:

  • width, height
  • font-size, line height, letter-spacing, font-family
  • margin, padding (pos. and neg.)
  • position
  • display
  • selectors like + or ~ with a second control link
  • nested spans with the above declarations
  • color rgba, hsla
  • border or background image
  • border-clip
  • transition

but no effect could be accesed by getComputedStyle as stated on developer.mozilla.org.

Though I had the idea of using the HTML5 Resource Timing API. By assuming someone has visited a particular website, i.e. a company wide login page, it's resources or connection information should be cached. Attaching the resource to the DOM and checking the resource timing metrics would reveal if the user has visited the website.

The limitations I could not probe completely at present but I think the major limitations are:

  • Cache limitations like no-cache
  • Missing timing-allow-origin response response header
  • Backwards compatibility canisue.com pointing out Safari as the bottle neck

Check it out: User identification with HTML5 Resource API

In my prove of concept it seems to work: 1st-load-no-cache 2nd-load-with-deleted-cookie

mikeg-de avatar Jul 12 '16 07:07 mikeg-de

Good testing. Have you tried seeing if you could glean information by using the visited css attribute to adjust the size of one object, but then obtaining information on a different object on the page which would have been affected? For example, if something is larger because it was visited, the object next to it should be in a different position on the page (or perhaps wrap).

Another thing I'd suggest investigating, though this is on a per-page basis, is if a resource behaves differently if a cookie is already set (user already visited or logged into the site), using that resource in a script tag or CSS tag. If you can use the remote resource as a CSS object style (even if it's not entirely valid), and some of the page is different based on whether the user has visited or logged into it before, then you may be able to glean if they've been to that site or more likely are logged in.

samyk avatar Jul 12 '16 18:07 samyk

Also worth investigating: https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html

samyk avatar Aug 04 '16 18:08 samyk