If you’re like most web users, you assume that your browser history is private. For example if you visit an online store, you assume they can’t see if you’ve been looking at their competitor. Just a few weeks ago I assumed this was the case. Guess what?
Your browser history is not private!
In fact with a few well crafted lines of Javascript, websites can examine your browser history and record what pages you have been to. Keep reading and I’ll tell you exactly how it’s done and introduce you to a service that any webmaster can put on their site to see what pages their users have visited. I’ll also tell you exactly what type of information can be retrieved, and how you can protect yourself.
How JavaScript Can Be Used To Steal Your Browser History:
With CSS website designers can make links a different color if they have been visited by the user. For example this link should be colored differently than this other link. The first link you have been to before (it’s the page you are on right now) while the second link you have never visited (because it is fictitious). Now you’re thinking “but how can this be used to steal my history?”. Let’s dive a little deeper.
Javascript Can Examine The Color Of Your Links = Steal Your Browsing History
Javascript can examine the rendered state of an HTML document, called the DOM. One of the properties that is available through the DOM is the current CSS attributes of a node (nodes are HTML tags, one of which is the <a> or link tag).
All a website has to do to see what pages you’ve been to is place a list of links on the page and examine the color of those links. Ajax can be used to retrieve a list of links to test and also send the results back to the server without the user ever knowing.
The code to do this examination can be a little tricky due to cross browser issues. Here is a snippet of Javascript that can do the evaluation (based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri):
<pre>
function hasLinkBeenVisited(url) {
var link = document.createElement('a');
link.href = url;
document.body.appendChild(link);
if (link.currentStyle) {
var color = link.currentStyle.color;
if (color == '#ff0000')
return true;
return false;
} else {
link.setAttribute("href",url);
var computed_style = document.defaultView.getComputedStyle( link, null );
if (computed_style) {
if (computed_style.color == 'rgb(255, 0, 0)')
return true;
}
return false;
}
}
</pre>
The code above assumes that CSS rules are making links that have been visited red (#ff0000) and new links a different color.
Ajax Can Be Used To Examine Thousands Of Links Dynamically
A clever web developer can use Ajax to dynamically load a list of links for each new visitor. A couple hundred links can be grabbed at a time and examined without slowing down the page noticeably. If you spend just a few seconds on a website thousands of URLs can be checked.
The Limitations
This technique does not allow sites to read your entire browser history. It only allows a site to test a predefined list of URLs to see if you have visited any of them. It’s like the card game “go fish”, you can’t see the players cards but you can ask them if they have any particular card. Most likely the way this technology would be used is to examine a list of competing URLs. This could give a website valuable information on who their competitors really are and what information on those sites is being looked at.
How To Stop People From Spying On Your Browser History
There are two sure fire ways to stop people from stealing your browser history.
- The nuclear option is to disable JavaScript within your browser. In Firefox you’d just go to Tools -> Options -> Content tab and then uncheck “Enable JavaScript”. This method is very limiting because you probably enjoy all the JavaScript goodness on the web.
- Limit your browser history. The less browser history you store the fewer URLs someone can steal from that history. In Firefox you can change the amount of browser history by going to Tools -> Options -> Privacy and then either uncheck the “Remember visited pages” checkbox or change the number of days that history is stored for.
UPDATE: Spyjax Has Been Turned Off
I will no longer be hosting Spyjax. It’s been fun and very interesting, but it’s time to call it quits. Read more here.
Introducing Spyjax
One Line Of JavaScript And You Can Start Spying
Ok, now that I’ve explained how this all works and how you can protect yourself, I want to introduce you to a small piece of code that I wrote that makes it super easy for you to spy on your website visitors. It’s called Spyjax and here’s how it works.
-
Sign Up For An Account
All that’s required is your email address and a password of your choosing. I promise I will not send you any unwanted email or give your email address away to anyone else. Sign Up For Spyjax
-
Add URLs To Look For
You can add custom URLs, the top 12 Google results for any search, or just look for the home page of the top 10,000 sites on the web.
-
Put One Line Of Code At The Bottom Of Your Pages
A simple <script> tag will insert all the JavaScript needed to spy on your visitors as well as communicate with the Spyjax service to record the results.
-
Optionally Add A Spyjax Widget To Your Site
If you just want to have some fun and show people that you’re spying on them you can put one of three Spyjax widgets on your website. There’s one on this site on the right sidebar.
Update: Spyjax Only Gives You Anonymous Data
There have been some concerns raised since I first published this article and released Spyjax. So I just wanted to point out that the service does not link specific websites with identifiable user data. It simply tells you things like 36% of your visitors have been to http://www.google.com/. Basically all the data collected by Spyjax is anonymous and shown in aggregate form. Obviously this same technology could be used to track specific user’s history, especially if you’re on a site that records your identity in some way. In my humble opinion it’s much better to debate these issues in the open than to have this sort of technology floating around without people knowing about it.
So You Just Want The Code?
Well I’m not greedy, so I’m giving it away for free. You can do anything you want with it, just don’t blame me if it breaks or gets you in trouble.
You can download the code here: Spyjax Code. It’s got an open source Attribution Assurance License attached to it.
Stumble it!
65 responses so far ↓
1 Ajaxian » Spyjax: Using a:visited to test your history // May 31, 2007 at 11:27 pm
[…] Spyjax can scare you, or excite you depending on what you want to do. […]
2 Kalyan // Jun 1, 2007 at 12:03 am
That was very clever !
3 Spyjax: Using a:visited to test your history // Jun 1, 2007 at 1:03 am
[…] Spyjax can scare you, or excite you depending on what you want to do. […]
4 SpyJax: Your Browser History is Easy To Steal // Jun 1, 2007 at 4:21 am
[…] Spyjax exploits a simple feature of all browsers: changing the color of links for sites you’ve visited. A piece of javascript on a webpage can view the color of these links to determine whether you’ve visited a site. This can’t just extract your entire browsing history, since it needs a predefined set of URLs to test - thanks to ajax, however, thousands, even tens of thousands of URLs can be tested in a matter of seconds. You could test the top 10,000 sites in Alexa, for instance, to see which sites an individual user has visited. You can even get a SpyJax widget to show your visitors all the data you’re harvesting from them. […]
5 proxieslist.net // Jun 1, 2007 at 4:26 am
[…] Spyjax exploits a simple feature of all browsers: changing the color of links for sites you’ve visited. A piece of javascript on a webpage can view the color of these links to determine whether you’ve visited a site. This can’t just extract your entire browsing history, since it needs a predefined set of URLs to test - thanks to ajax, however, thousands, even tens of thousands of URLs can be tested in a matter of seconds. You could test the top 10,000 sites in Alexa, for instance, to see which sites an individual user has visited. You can even get a SpyJax widget to show your visitors all the data you’re harvesting from them. […]
6 WebGyver // Jun 1, 2007 at 6:44 am
OKAY, so if you already know who your “competitors” are, or if you already have a wishlist of links to compare against, I guess all is fine and dandy, right?
If you’re just starting out, perhaps, a good idea to amass some links to compare against with Spyjax would be to grab the referring page (document.referrer) and log that information for a week (or a month, depends on the amount of traffic you get).
Typically, that’s a fairly decent way to gauge what kind of visitor is interested in your web site (although I would be the first to admit that it’s not scientific or necessarily foolproof).
For what it’s worth, and please keep up the good work!
WebGyver
7 Bob Saget // Jun 1, 2007 at 6:47 am
How about a non-javascript version?
a[href*=”yahoo.com”]:visited {background:url(/spyjax.cgi?url=yahoo.com)}
a[href*=”google.com”]:visited {background:url(/spyjax.cgi?url=google.com)}
8 bob saget // Jun 1, 2007 at 7:18 am
Bob Saget, you are missing the point. CSS would only show visited links to the user. They already know what they visited (they are the ones that did it!), so this is pointless. With javascript, you can send this information back to the server, so that the website owner can know where the users have been visiting.
9 davros // Jun 1, 2007 at 7:44 am
@#8 - no, you’re the one missing the point.
10 TC // Jun 1, 2007 at 8:02 am
(1) Old.
(2) It *doesn’t* expose your browser history. What you describe, does not do that. You *can’t* write code to tell me what pages I visited before I came to your page.
11 Spyjax: Your Browser History is Not Private! | Tekjuice.com // Jun 1, 2007 at 8:02 am
[…] Spyjax exploits a simple feature of all browsers: changing the color of links for sites you’ve visited. A piece of javascript on a webpage can view the color of these links to determine whether you’ve visited a site. This can’t just extract your entire browsing history, since it needs a predefined set of URLs to test - thanks to ajax, however, thousands, even tens of thousands of URLs can be tested in a matter of seconds. You could test the top 10,000 sites in Alexa, for instance, to see which sites an individual user has visited. You can even get a SpyJax widget to show your visitors all the data you’re harvesting from them. […]
12 淘寶達康 beta 2.0 » Blog Archive » 偵測到你所有的瀏覽歷史紀錄:令人驚奇的 Spyjax 技術 // Jun 1, 2007 at 8:35 am
[…] 在網路上看到這個網站Spyjax,號稱可以偵測到你我在網路上瀏覽的紀錄,他的slogan是「Spy url history」。結果連上網站後就可以看到右下角馬上偵測我過去所瀏覽的2千多筆網站瀏覽資料,結果只花了12秒,最後列出我用Firefox同時開啟的4個網址(分別是Google,bebo與TC)! OMG!馬上用CCleaner清除所有瀏覽記錄並把FireFox的Cookies也清除後再試驗一次也是得到同樣的結果。 […]
13 Davin Studer // Jun 1, 2007 at 8:46 am
#7 makes a good point. You could use css to send back a hit to a server side script with the url in the querystring. I wonder how fast it would be?
14 buba... // Jun 1, 2007 at 9:46 am
not working with people checking on IE
15 Tim McCormack // Jun 1, 2007 at 10:31 am
#7’s code doesn’t give you the precise URL, just lets you know that certain domains have been visited.
It is a partial solution.
Also, I’d like to note that the Firefox extension SafeHistory is specifically designed to prevent this exploit, by subjecting “visited”-marking to the browser’s cookie policy.
16 一個人對世界傻笑 // Jun 1, 2007 at 12:01 pm
Spyjax…
http://www.merchantos.com/makebeta/tools/spyjax/
不怕不怕,我看到他網頁的下拉式選單出現一些令人臉紅心跳的網址
(哈哈,別想歪了,這是用Ajax測試一些網址的一段script)
Ajax Can Be Used To Examine Thousands …
17 TechTear :: T_T :: Blog Magazine de Tecnologia » SpyJax, obtén el historial de tus visitantes // Jun 1, 2007 at 1:00 pm
[…] incluso incluir el Widget de SpyJax, ponerlo en tu sidebar y enseñar a los visitantes las webs qué URLs vas consiguiendo de ellos. Ni […]
18 Aoleon The Martian Girl // Jun 1, 2007 at 1:06 pm
Great job! I will definately try this myself on my site.
Also it doesn’t seem to work on Safari on the Mac (which is a good thing cause that is the browser I use most) LOL
19 Bill Hartzer // Jun 1, 2007 at 2:29 pm
Wow, I wasn’t aware that you can get this data. I’ll definitely be experimenting with it, and can only imagine the possibilities of using it with Ajax and some ecommerce sites…
20 Spyjax descobre o que há no histórico do seu browser | TNow // Jun 1, 2007 at 2:59 pm
[…] acha que seu histórico na Internet é privado? Bem, o Spyjax não acha. O widget explora uma característica comum a todos os browsers: a mudança de cor nos […]
21 headphono.us » Spyjax baby, we know where you’ve been // Jun 1, 2007 at 3:22 pm
[…] Read all about Spyjax. Thanks Pedro! […]
22 Wodow // Jun 1, 2007 at 4:46 pm
If you are using Firefox, this extension seems to solve the problem:
http://safehistory.com/
23 Spyware Alert: Are Sites You Visit Spying On You? » Publishing 2.0 // Jun 1, 2007 at 8:47 pm
[…] red — to determine which other sites a visitor to a site using Spyjax has visited. If you go here, you will see your browser history displayed in the widget. It’s quite a chilling experience. […]
24 Steve Miller’s Web Sites of Interest » links for 2007-06-02 // Jun 1, 2007 at 9:28 pm
[…] Spyjax - Your browser history is not private! (tags: advertising ajax browser browsers css dev hacking hacks privacy statistics spyjax history security javascript) […]
25 Julien Verkest, étudiant, développeur web clermontois, actualité CMS, shopbots et internet » Un gadget qui espionne votre historique : spyjax // Jun 2, 2007 at 1:50 am
[…] sur http://www.merchantos.com/makebeta/tools/spyjax/ un petit espion qui examine l’historique de votre navigateur. Je viens d’installer ce […]
26 Julien Verkest, étudiant, développeur web clermontois, actualité CMS, shopbots et internet » Un gadget qui espionne votre historique : spyjax // Jun 2, 2007 at 2:14 am
[…] viens de trouver un petit espion qui examine l’historique de votre navigateur. Je l’ai installé sur mon site. Je vais […]
27 Stealing Your Browsing History is Easy | John Hesch // Jun 2, 2007 at 6:46 am
[…] Spyjax makes it super easy for web sites to spy on their visitors. With Ajax, thousands of links can be tested against a visitors browser history to determine which web sites have been visited. […]
28 All in a days work… // Jun 2, 2007 at 7:19 am
[…] Spyjax - Your browser history is not private! My FF history is turned off, so there! Mine is: “0 URLs found in your history” This technique does not allow sites to read your entire browser history. It only allows a site to test a predefined list of URLs to see if you have visited any of them. Once again, Firefox rocks! (tags: Browsers Privacy) Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. […]
29 Competitive Research or Privacy Attack « Hamlet Batista — Internet entrepreneur, developer and search marketer // Jun 2, 2007 at 12:39 pm
[…] Published June 2nd, 2007 web privacy , competitive intelligence I found this interesting tool via Seobook.com. It exploits a “feature” of current browsers that do not properly […]
30 Spyjax: Your browse history is not private! // Jun 2, 2007 at 12:42 pm
[…] to see what pages you’ve been visiting, but that turns out to be false. I just came across Spyjax (via Mashable!) which shows your full browser […]
31 Kerouac3001 // Jun 2, 2007 at 1:27 pm
I’ve created the same tool 3 months ago
but i have wrote my article in italian ( http://www.kerouac3001.com/black-hat-tool-per-interrogare-la-cache-di-un-utente-56.htm )..here’s the english post of another italian blogger that talk about this: http://antirez.com/page/cachetest
32 » Look Out For SpyjaxMy Head is A Rocket // Jun 2, 2007 at 5:03 pm
[…] up and marketed. If you check the sidebar of this blog, you will se a funny little widget called Spyjax, which will probably show you, a good chunk of your own browser history, it doesnt just show it to […]
33 » Spyjax - welche Seiten hat der Besucher zuvor besucht? | red seo blog | RedSEOBlog.com // Jun 2, 2007 at 5:21 pm
[…] dem Ajax-Script Spyjax kann man herausfinden, auf welchen Seiten der Besucher zuvor war. Man muss einfach eine Liste der […]
34 Spyjax:窃取来访者的浏览历史 at E-space // Jun 2, 2007 at 8:03 pm
[…] Spyjax,利用Javascript或者Ajax能够窃取用户的网页浏览历史,在作者的页面有详细的介绍,大意是通过代码来检测用户浏览过的链接颜色,从而获知你是否访问过所列出的网址链接。 […]
35 despuesdegoogle » » SpyJax, el historial de tus visitantes al descubierto // Jun 3, 2007 at 2:00 am
[…] quede al descubierto: en apenas unos segundos, SpyJax identifica miles de URLs. Más: con el widget de SpyJax puedes (de)mostrarle a tu visitante lo que sabes sobre su historial de […]
36 SeparateLIFE » Wo waren meine Besucher vorher? // Jun 3, 2007 at 3:09 am
[…] AJAX Script Spyjax verrät anhand einer vorher definierten Liste die verglichen wird, wo sich die Besucher vorher […]
37 Twan van Elk » Blog-archief » Even kijken welke websites je bezocht hebt... // Jun 3, 2007 at 3:16 am
[…] Spyjax maakt dit op indringende wijze duidelijk. Als je de site bezoekt wordt meteen de geschiedenis van je webbrowser doorzocht. Het Spyjax-script maakt gebruik van de functionaliteit van browsers, om bezochte links een andere kleur te geven. Het kan de kleur van deze links vaststellen en zo bepalen welke sites je hebt bezocht. Enige beperking is dat er slechts naar voorgedefinieerde adressen kan worden gezocht. Met behulp van Ajax kunnen er echter in een paar seconden tienduizenden adressen gecontroleerd worden, dus ‘beperking’ is misschien een te zwaar woord… […]
38 James Oppenheim // Jun 3, 2007 at 6:42 am
Wow, interesting. There is so much data out there I think my browser history is the least of my problems.
39 SpyJax is watching you: votre historique de navigation n’est pas privé ! // Jun 3, 2007 at 8:30 am
[…] Spyjax exploite une simple fonctionnalité de tous les navigateurs: le changement de couleurs des URL des sites que vous visitez. Un bout de Javascript sur une pageweb peut tracker la couleur de ces liens et déterminer si vous avez visité ces sites. Ceci ne peut faire un extract de tout votre historique de navigation, vu que cela demande une liste prédéfinie d’URLs à tester, mais grâce à l’ajax, des dizaines de milliers d’adresses peuvent être testés en quelques secondes. Vous pourrez ainsi tester par exemple le top 10.000 de sites indexés sur Alexa pour voir quels sites l’internaute a visité. Il est même possible d’intégrer le widget SpyJax sur votre blog/site pour montrer à vos visiteurs que vous les épiez et les liens qu’ils ont visité ! […]
40 Template Design Wrkshop // Jun 3, 2007 at 9:14 am
Hi
It’s very useful for us to use in blog templates.
Thank you
41 Spyjax: Your browse history is not private! at Blog O Sphere // Jun 3, 2007 at 12:11 pm
[…] to see what pages you’ve been visiting, but that turns out to be false. I just came across Spyjax (via Mashable!) which shows your full browser […]
42 Les humeurs de Fabien » Le script Ajax qui fait peur // Jun 4, 2007 at 1:02 am
[…] Allez là : http://www.merchantos.com/makebeta/tools/spyjax […]
43 London SEO // Jun 4, 2007 at 5:40 am
Blimey govenor! Didn’t know this was possible, nice one!
44 Spyjax sabe que páginas visitas // Jun 4, 2007 at 7:51 am
[…] histórico de páginas vistas no está seguro con aplicaciones web como Spyjax. Nunca antes AJAX había sido utilizado para algo tan maquiavélico como […]
45 Spyjax: Now you browser history isn't safe anymore! at Tech Tonic // Jun 4, 2007 at 11:04 am
[…] Spyjax exploits a simple feature of all browsers: changing the color of links for sites you’ve visited. A piece of javascript on a webpage can view the color of these links to determine whether you’ve visited a site. Infact a clever web developer can use Ajax to dynamically load a list of links for each new visitor. A couple hundred links can be grabbed at a time and examined without slowing down the page noticeably. If you spend just a few seconds on a website thousands of URLs can be checked. […]
46 Paul Irish // Jun 4, 2007 at 11:14 am
Here’s the list of URLs it checks against:
http://www.merchantos.com/makebeta/spyjax/urls.php?hash=b8db3693460aff2ab374b7ec3009f12b&getoldurls=0&hit_id=20383&noCacheIE=1180980736967
47 Kevinin // Jun 4, 2007 at 12:28 pm
@Bob Saget:
That is a very good idea! I just wrote my own “version of spyjax”, mine uses a rather simple (and slow) brute force method and I will see how I can implement your idea.
48 Are You Being Spied on Using Spyjax? : borloz.com // Jun 4, 2007 at 6:41 pm
[…] and has elicited some strong responses from the user community, but is nevertheless interesting. Check out the full article for more info and be sure to leave a comment to let me know how you feel about this […]
49 The Site can Steal Your Browser History - ZePy // Jun 5, 2007 at 8:58 am
[…] [via] Social Bookmarking (Digg, Delicious, Reddit, StumbleUpon…) Enjoyed this article? Subscribe Full Feed Here Related Posts:Web Based Yahoo Messenger from Yahoo […]
50 History ne kadar sadık ? | indir,izle,download,watch,free,mp3,films,dvix 2007 Senesi Aklımıza Gelenleri Yazıyoruz …, Karışık Pizza // Jun 5, 2007 at 10:43 am
[…] lafı fazla uzatmadan sizi kendisiyle başbaşa […]
51 oriolrius lifestream » Spyjax - Your browser history is not private! // Jun 6, 2007 at 2:03 am
[…] Spyjax - Your browser history is not private! […]
52 Improbulus // Jun 6, 2007 at 2:13 am
Many thanks for this, very interesting. In terms of defending oneself against this sort of thing, the type and level of control and protection seems to be browser dependent - for instance in Opera deleting a visited page history won’t delete the same page’s visited link history, but you can manually clear just the visited links history.
I’ve experimented and produced a table comparing Opera, Internet Explorer and Firefox - at http://www.consumingexperience.com/2007/06/spyjax-websites-can-see-your-visited.html.
53 Cars Tech and Babes Blog // Jun 6, 2007 at 11:31 am
[…] word of a scary new tool called Spyjax that lets any website view your entire browsing […]
54 shinobi // Jun 6, 2007 at 8:38 pm
never knew that this stuff exist
55 MarketingHacks - » Check Your Competition with this Contact Form Hack to Steal Browser History // Jun 7, 2007 at 3:19 am
[…] as a web surfer that this information is so easily accessible. I’ve based this on the code at this site, but I have integrated with a contact form. There’s also versions here, and […]
56 TA // Jun 8, 2007 at 1:10 pm
And a lot of you guys are who will eventually make the ‘net so scary that nobody in their right mind will venture there. Reminds me of “Minority Report”.
57 vagabundia » Blog Archive » Espías por todos lados // Jun 9, 2007 at 8:07 pm
[…] Spyjax es una aplicación realizada en AJAX que comprueba un cierto número de webs predefinidas y mediante el color del enlace, “sabe” si un usuario ha visitado alguna de esas páginas. No se trata de un error de seguridad, está hecho a propósito. […]
58 Dimblog v2 - Webmaster Articles, Design Trends, SEO Advice, Web Marketing Tips // Jun 11, 2007 at 11:48 pm
[…] Spyjax - You browser’s history is not private […]
59 nick garner // Jul 22, 2007 at 2:10 am
I will be trying this out. I am putting together a big online PR campaign and so im going to target competitor search terms. (using seodigger)
with this tool, I will obviously see where users have come from, which means I will tip off the display advertising team, so they can maybe place ads on these sites
I will also do seodigger on these sites and see where they rank, and from that i can also look at the best google territory to target.
and of course when a user actally converts into a sale, i will understand their pathways to my site. form that i can see what works best….very valuable
60 I Can See What You’re Browsing….–thirteen ball // Dec 31, 2007 at 11:55 pm
[…] someone can’t see what web sites you’ve been browsing? Think again. (0) Comments Permalink […]
61 Clarification - India Broadband Forum // Mar 5, 2008 at 7:53 pm
[…] Clarification One example of a website stealing yor browsing history. Spyjax - Your browser history is not private! (Not the same as your ISP!) __________________ Posting? Dual Threads! Flash Posting And You… […]
62 SEO Articles and Tips // Mar 28, 2008 at 1:06 am
Thats right but disabling the javascript is not a good solution, i think.
63 Vicenza // Apr 19, 2008 at 1:24 am
In this world nothing is private
thanks for this message for demostration this.
64 Vicenza // May 8, 2008 at 3:57 pm
Who knows, maybe this sight is viewing your browsing history???
65 clouder // May 8, 2008 at 10:46 pm
Firefox users might try tools -> options, Content section, Colors.. button under Font and Colors group, and unchecking Allow pages to choose their own color…, as well as setting link colors to something non standard. Think this could stop the spyjax (too lazy atm to try myself)? Not sure if there is anything you can do about that CSS thing Bob Saget showed. Other than disable CSS which is just out of the question.
Leave a Comment