samyk / evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
https://samy.pl/evercookie/
4.43k stars 662 forks source link

CSS history knocking / leak fixed? #115

Open mikeg-de opened 8 years ago

mikeg-de commented 8 years ago

Obtaining the computed color of visited links seems to be fixed back in 2010: http://stackoverflow.com/questions/5394099/detect-visited-link-in-chrome

Visited colors may be visible but the standard value is retrieved / provided by the browser.

samyk commented 8 years ago

True. It is still possibly exploitable and I'm open to suggestions or updates. HSTS is also worth looking into, although there have been some fixes there too: https://github.com/diracdeltas/sniffly

mikeg-de commented 8 years ago

I have tried it with:

but no effect could be accesed by getComputedStyle as stated on developer.mozilla.org.

Though I had the idea of using the HTML5 Resource Timing API. By assuming someone has visited a particular website, i.e. a company wide login page, it's resources or connection information should be cached. Attaching the resource to the DOM and checking the resource timing metrics would reveal if the user has visited the website.

The limitations I could not probe completely at present but I think the major limitations are:

Check it out: User identification with HTML5 Resource API

In my prove of concept it seems to work: 1st-load-no-cache 2nd-load-with-deleted-cookie

samyk commented 8 years ago

Good testing. Have you tried seeing if you could glean information by using the visited css attribute to adjust the size of one object, but then obtaining information on a different object on the page which would have been affected? For example, if something is larger because it was visited, the object next to it should be in a different position on the page (or perhaps wrap).

Another thing I'd suggest investigating, though this is on a per-page basis, is if a resource behaves differently if a cookie is already set (user already visited or logged into the site), using that resource in a script tag or CSS tag. If you can use the remote resource as a CSS object style (even if it's not entirely valid), and some of the page is different based on whether the user has visited or logged into it before, then you may be able to glean if they've been to that site or more likely are logged in.

samyk commented 8 years ago

Also worth investigating: https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html