What are the security implications of the social history hack?

Photo by Shavar

Web page scripts have a very strict set of limits on what information they can access, which is a big reason why web services are so successful. Unlike desktop applications, there’s no user anxiety that opening up a URL will install a virus or leak confidential information. Almost nobody uses Firefox extensions because we’ve all been trained that any installation step is deeply scary.

One of the things you can’t see from a script is the user’s browsing history. You might not want the world to know all the sites you’re visiting for lots of reasons, whether they’re risque, or give clues about a private medical condition, or even just the fact you’re job-hunting or dating. Even worse, a malicious script could decode URLs to pull out account numbers or user names that could be very valuable to hackers.

That’s what makes the social history hack so interesting. It’s truly a hack in the old-fashioned sense of the word, a clever use of obscure functionality for an unintended purpose. It uses the fact that previously visited links are displayed with a different color inside a web page, creates a hidden link for each URL you want to check, and then finds out if it’s in the user’s history by checking its color.

So, for the first time you can get some information about the user’s browsing history from within a script. Doesn’t that raise the same concerns about privacy and security I outlined above?

I’m glad to say there’s a lot of mitigating factors. You can’t simply find out everywhere a user has been, instead you can only ask if they’ve visited a specific URL. That rules out fishing for account names or other parameters embedded in the address. It’s also reasonably slow, so you can’t practically search more than a few thousand addresses.

I’m hopeful that the very limited functionality of this hack will reassure browser developers and prevent them from patching it as a security risk. It seems like a good balance between opening up some interesting new services based on implicit attention data, without opening the door too widely to malicious exploits.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: