On 09/16/2014 04:58 AM, [email protected] wrote: > It's possible for a website a.org/ to check whether the user is redirected by > b.org/path1 to b.org/path2. This often leaks private information if the > redirect on b.org/ depends on the users state. For example, if the user is > only redirected to b.org/path2 if he's logged in on b.org/, a.org/ can detect > whether the user is logged in on b.org/ or not. > > The basic idea and more ideas how to exploit this are described in this pdf: > https://www.checkmarx.com/wp-content/uploads/2012/07/XSHM-Cross-site-history-manipulation.pdf > (for a short explanation see "Login Detection Technique" on page 6). > > I've implemented a proof of concept here: http://jsfiddle.net/wdp59rt5/ > It checks whether the user is logged in on deviantart.com
This uses window.history.length to figure out if something has been visited recently (by forcing another visit), right? I'm curious: how is this affected if I have multiple tabs open? And how quickly can you check a bunch of URLs? This seems very much like bug 147777. -Sid _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
