Retrieving your browsing history through a CAPTCHA

Proof of concept history sniffing, where visitors do the hard work.

Are you a robot?

Select all the black cells to continue to your destination.

Press "DONE" when you finish.

Results #

Waiting for you to finish the CAPTCHA...

How it works #

Web browsers have plenty of tiny features to make navigating the web less painful.

One such feature is the browser history, helpfully recording a list of every page a user visits incase they want to come back to one later. Most browsers also highlight visited links by displaying them in purple. This too is pretty helpful, especially on search results or long lists of links.

Browsers also let us style how visited links look, using the :visited pseudo-class. This is also pretty helpful, as the purple links don’t match the style of every website.

You might already be thinking of various ways to exploit this, perhaps using background-images to send GET requests to a server, or maybe by using window.getComputedStyle to get the colour of a link.

Unfortunately (well, actually fortunately), browser vendors have thought of that (or more likely: those methods have already been exploited), and most limit the CSS you can apply to visited links, alongside making window.getComputedStyle lie sometimes.

People have done some pretty crazy tricks to bypass the limitations and sniff browsing history, for example take this report by George Liu which demonstrates abusing transition events to find out if a link is visited.

There’s probably still a ton of similar ways to automatically exploit the CSS pseudo-class that no one has thought of yet, but it’s a constant cat and mouse game between hackers and browser vendors.

So, rather than using a computer to find out if a link is visited, why don’t we trick our visitors into doing it for us instead! 😀

This proof of concept looks somewhat like a reCAPTCHA challenge, and styles visited links to look like black squares. Visitors are told to select all the black squares to prove their humanity, when in reality they are telling us whether they have visited certain websites.

I also covered up the links themselves with an overlaid div, so that the link tooltip doesn’t appear when hovered, and so visitors can’t actually click the links. Additionally, I included some fake squares to catch if visitors are trying to spoof their results.

While this demo is harmless, a malicious website could employ something similar for various reasons. Perhaps a website could find out a user’s political views, simply by checking if they’ve seen an article or YouTube video. Or maybe a website could find out where a visitor lives, just by finding out if they’ve seen some local websites.

The sky is the limit, which is fairly concerning. This also can’t be patched unless browsers stop allowing websites to style links, or by severely limiting the amount of scenarios where visited link appear purple altogether.

Conclusion #

In conclusion, the :visited pseudo-class poses privacy risks for people who surf the web. As a user, you can stop web pages from tracking your history by disabling visited link highlighting in your web browser.

Across the web