Wednesday, October 04, 2006

big brother is watching and taking notes

Robert Auger from CGI Security spells out how a website could easily profile your interests from a competitors website enabling them to market to you better. Based on the JS/CSS History Hack, Robert describes the following:

"Lets say VisitorA visits your site www.sitea.com. You can use the CSS history stealing trick to see if they have visited www.siteb.com and/or www.sitec.com. If they have also visited a competitor you'll know that this person is semi serious about whatever reason they are visiting your site for. Using the same CSS trick you could also enumerate a list of links (only enumerated if the link was visited) against each competitor website to see what they viewed on this site. This could include seeing which products/services they are interested in, if they visited the 'contact us' page and possibly if they also visited the 'thank you for submitting your data'."

This is a very probable scenario. In my tests, its possible to check for over 2,000 url's in under a few seconds without any noticable browser performance issues. More than enough resources for a website to conduct some decent profiling metrics.

Robert asks..."This begs to ask the question is this legal?"

I think so, but don't know for sure. Maybe this could be considered an improvement on referer checking. :) Though the more compelling question is, are people doing this already and we're not noticing? Either way, time to protect yourself. Check out Stanford SafeHistory.

No comments: