Browser history bug can be used for showing recently visited websites
According to Google security researcher Michal Zalewski, there is a new privacy hole we should definitely know about – this time scammers may get capability to steal visitors’ surfing history no matter which browser, Internet Explorer, Chrome or Firefox, is used by the user. According to informal test of this researcher, his recently found method helps to list the recently visited sites on computers running either Microsoft Windows or Apple OS X, and works even if all updates are downloaded.
More than one year ago, scammers were found stealing visitors’ browsing habits by targeting browser’s vulnerability. This vulnerability, found on more than 45 domains such as YouPorn.com and others, helped for them to see recently visited websites differently than non-visited ones. Of course, browser makers have closed this hole and hackers are expected to look for better, not so slow and easy to detect, ways helping to extract user’s browsing history. One of them is called the ‘cache timing’.
According to Zalewski, this method begins with loading an iframe tag containing a list of websites accessed by a visitor. It then pays attention to how quickly websites are loaded and those that load more quickly stores on the browser cache. This method may be used by scammers to overcome earlier problems and start testing more than 50 websites per second with no signs noticed.