Unfortunately, this is just really old news and really lame. Man, I hate using the word lame. Its not an "attack". Its simply taking advantage of a feature built into all browsers since like 2000 or before.

This is now the 5th time this topic has been posted to HN. May 2008 was when it all started:

http://www.azarask.in/blog/post/socialhistoryjs/

http://news.ycombinator.com/item?id=248558

http://news.ycombinator.com/item?id=404564

http://news.ycombinator.com/item?id=617546

http://news.ycombinator.com/item?id=717802

That's true -- there have been several projects making use of the CSS :visited history sniffing technique. The method itself was originally reported in early 2000. See http://whattheinternetknowsaboutyou.com/docs/details.html#re...

It's old and it's somewhat lame, but it is an attack. CSS and the DOM were designed not to allow this sort of information leak. They missed a spot.

The problem, of course, is how to solve this without neutering both CSS and the DOM in the process.

Maybe :visited should not apply to cross domain links.

It is old news, but CSS history 'browsing' can be used as an attack to find authz tokens in certain URLs.

Wow. That is very clever, and very, very scary.

I was unaware of that particular attack, though now that I've read about it, it makes perfect sense.

Maybe it's time to set my work machine to not keep my browsing history (like my home machine)...

At least 3 years old: http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-yo...

The information on that site is a bit misleading. How would they figure out your name? Or who your friends were?

They would have to already know your name to search for URLs then that would contain your name. That is a lot of work to be doing in a browser. And if you have a common name, then whoptido. So what?

You can only use this technique against a set of URLs, you can't determine URLs unless you already know what to check against. At that, you would have to know the exact URL to check against.

"This site normally works even when JavaScript is disabled, but we temporarily switched off that functionality for performance reasons. Please come back in a couple of hours."

Riiight.

It looks like it's working now even without JS. The history detection method itself doesn't need JavaScript at all; see http://whattheinternetknowsaboutyou.com/docs/details.html

Hacker News is among the 5000 most popular sites!

This site produces a HTTP 500 error for me. Would someone please provide a description of what was there?

Site's down. Is it this exploit?:

http://thecoffeedesk.com/news/index.php/2009/08/02/view-remo...

I think they mean what the Web knows about you. The Internet sure as hell doesn't know about my email habits or how much streaming I do of music.

Ubuntu, xkcd, freepatentsonline.com, bing, google, yahoo, mozilla, technorati, wordpress, winamp, posterous, and HN.

I guess the internet thinks I'm a geek.

Congratulations, we did not find anything in this category in your browser history. Feel free to try our other browser history tests.

Apparently the Internet knows nothing about me. That is ... rather surprising.

Me too. This "attack" is very old and well-known on the browser side. It doesn't work particularly well on me because I keep no history.

I had never heard of it before. I wouldn't consider myself anywhere near an expert on client-side exploits but still...

I keep up with most tech-related news as well as I can and I had never heard of it until now...

I'd be interested to see how many people actually have heard about it before.

This isn't an exploit, it is a feature of almost every modern browser.

Applying different style to visited links is a feature. The trick to pull the info back to server is an exploit.

I wasn't aware that sharing your browser history with every website that cares to check it was a 'feature'.

I think that was the point...

Most people aren't aware of this.

Hopefully it was a success for you!

Care to point to a wikipedia entry or something on this 'attack'? I can't even access the site.

I assume that it's simply setting styles on links using the ":visited" pseudo-selector, and then either:

1. Using JavaScript to get the rendered style, and thus work out whether you've visited a particular URL, or

2. Setting background images on links which only apply when visited, and checking whether your browser retrieved those images.

It's a rather old and well-known trick.

Ok. Since I couldn't access the site, I didn't even know what it was supposed to be doing... other than 'an old and well-known trick' and something to do with browser history.