Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSS history knocking / leak fixed? #115

Open
mikeg-de opened this issue Jul 7, 2016 · 4 comments
Open

CSS history knocking / leak fixed? #115

mikeg-de opened this issue Jul 7, 2016 · 4 comments

Comments

@mikeg-de
Copy link

mikeg-de commented Jul 7, 2016

Obtaining the computed color of visited links seems to be fixed back in 2010: http://stackoverflow.com/questions/5394099/detect-visited-link-in-chrome

Visited colors may be visible but the standard value is retrieved / provided by the browser.
@samyk
Copy link
Owner

samyk commented Jul 7, 2016

True. It is still possibly exploitable and I'm open to suggestions or updates. HSTS is also worth looking into, although there have been some fixes there too: https://github.com/diracdeltas/sniffly

@mikeg-de
Copy link
Author

I have tried it with:

  • width, height
  • font-size, line height, letter-spacing, font-family
  • margin, padding (pos. and neg.)
  • position
  • display
  • selectors like + or ~ with a second control link
  • nested spans with the above declarations
  • color rgba, hsla
  • border or background image
  • border-clip
  • transition

but no effect could be accesed by getComputedStyle as stated on developer.mozilla.org.

Though I had the idea of using the HTML5 Resource Timing API. By assuming someone has visited a particular website, i.e. a company wide login page, it's resources or connection information should be cached. Attaching the resource to the DOM and checking the resource timing metrics would reveal if the user has visited the website.

The limitations I could not probe completely at present but I think the major limitations are:

  • Cache limitations like no-cache
  • Missing timing-allow-origin response response header
  • Backwards compatibility canisue.com pointing out Safari as the bottle neck

Check it out: User identification with HTML5 Resource API

In my prove of concept it seems to work:
1st-load-no-cache
2nd-load-with-deleted-cookie

@samyk
Copy link
Owner

samyk commented Jul 12, 2016

Good testing. Have you tried seeing if you could glean information by using the visited css attribute to adjust the size of one object, but then obtaining information on a different object on the page which would have been affected? For example, if something is larger because it was visited, the object next to it should be in a different position on the page (or perhaps wrap).

Another thing I'd suggest investigating, though this is on a per-page basis, is if a resource behaves differently if a cookie is already set (user already visited or logged into the site), using that resource in a script tag or CSS tag. If you can use the remote resource as a CSS object style (even if it's not entirely valid), and some of the page is different based on whether the user has visited or logged into it before, then you may be able to glean if they've been to that site or more likely are logged in.

@samyk
Copy link
Owner

samyk commented Aug 4, 2016

Also worth investigating:
https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samyk @mikeg-de