It's possible for a website a.org/ to check whether the user is redirected by b.org/path1 to b.org/path2. This often leaks private information if the redirect on b.org/ depends on the users state. For example, if the user is only redirected to b.org/path2 if he's logged in on b.org/, a.org/ can detect whether the user is logged in on b.org/ or not.
The basic idea and more ideas how to exploit this are described in this pdf: https://www.checkmarx.com/wp-content/uploads/2012/07/XSHM-Cross-site-history-manipulation.pdf (for a short explanation see "Login Detection Technique" on page 6). I've implemented a proof of concept here: http://jsfiddle.net/wdp59rt5/ It checks whether the user is logged in on deviantart.com I'd like to point out that this is not a timing attack, but it exploits the fact that, when loading a site in an iframe, the browser behaves differently based on whether the same site has been loaded before or not. A new entry in window.history is only created for the loaded site if the same site has not been loaded before. Do you think it would be desireable to prevent non-timing-based redirect detection? _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
