jSpy: Automagically detect visited links with JavaScript!

Posted on under English

Beware! This post is more than 3 years old, it may be outdated or incorrect! Please check elsewhere for accurate information!

Two days ago, I wrote "Stealing user's data in creative ways". I then read about "timing attacks" in JavaScript and thought it would be fun to try and implement a timing-attack based exploit that would detect visited links and store them in a variable.

I started reading the documentation on WebKit and Gecko and how they render links. I later found a paper "Pixel Perfect Timing Attacks" by Paul Stone, which explained everything. It's focus is capturing a screenshot of an iframe, while I'm concerned with detecting visited links. So, with the help of that paper, I put together a simple web page and some JavaScript code that would list all URLs, calibrate the times for a visited and not-visited link and then measure the time it took for the browser to render all links and compare it to the known times for the visited and unvisited links.

Then it would just display a page with those links. Pretty simple? ABSOLUTELY NOT! It took me two days to get everything right, and it still makes mistakes on some browsers. Also the DIV with links isn't hidden but instead it's absolute positioned to the top of the page and has an opacity of 0.00001. It's almost 0, but it's close enough to 1 that Chrome still does render it. If I had moved it off screen, or set the width to something small, or even used transform: scale(0.00001) it wouldn't work. Chrome doesn't render things that it doesn't think are visible.

Note that this does work in Firefox but Firefox doesn't have any problems with the visibility so I didn't have to test it as much.

If you want to try it out, click here. Trust me, it won't transmit any data it collected.

Discuss on Hacker News!


This post was last updated on June 13th, 2014.