Pages

2010-08-02

Firefox security case study: Mozilla's CSS :visited solution is still vulnerable


Javascript running on browsers that implement W3C standards today can allow the present page to find pages the user has previously visited. This would be very useful as part of a XSS attack where you needed to know if the user has already authenticated against a login system.

Since this information is very useful to an attacker, Mozilla is preparing to break compliance with APIs to stop this vector:
  • getComputedStyle() et al. will not leak information about page visited status
  • Differences in styling for visited links versus styling for unvisited links will be restricted against changes in opacity, visibility, and many other ways
  • These rules propagate and are immune to CSS tricks like combinators and nesting
These are detailed at http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/
But this issue is too big to settle for a "solution" that breaks the API, does so ungracefully, and still does not solve the problem. Here is a demonstration that will still work if Mozilla goes through with this cowboy (read: Microsoft) attitude to web standards. The first one tells you if you visited purple.com before and the second one tells you if you have logged in to Zecco.com:

Click for free wallpapers  here (you didn't visit purple.com before)
Click for free wallpapers  here (you visited purple.com before)

Click for free wallpapers  here (you didn't visit zecco.com before)
Click for free wallpapers  here (you visited zecco.com before)

You could probably do a better job than me of styling these elements, but either way, the attack vector still exists.