If you’re like most web users, you assume that your browser history is private. For example if you visit a point of sale software company, you assume they can’t see if you’ve been looking at their competitor. Just a few weeks ago I assumed this was the case. Guess what?
Your browser history is not private!
In fact with a few well crafted lines of Javascript, websites can examine your browser history and record what pages you have been to. Keep reading and I’ll tell you exactly how it’s done and introduce you to a service that any webmaster can put on their site to see what pages their users have visited. I’ll also tell you exactly what type of information can be retrieved, and how you can protect yourself.
How JavaScript Can Be Used To Steal Your Browser History:
With CSS website designers can make links a different color if they have been visited by the user. For example this link should be colored differently than this other link. The first link you have been to before (it’s the page you are on right now) while the second link you have never visited (because it is fictitious). Now you’re thinking “but how can this be used to steal my history?”. Let’s dive a little deeper.
Javascript Can Examine The Color Of Your Links = Steal Your Browsing History
Javascript can examine the rendered state of an HTML document, called the DOM. One of the properties that is available through the DOM is the current CSS attributes of a node (nodes are HTML tags, one of which is the <a> or link tag).
All a website has to do to see what pages you’ve been to is place a list of links on the page and examine the color of those links. Ajax can be used to retrieve a list of links to test and also send the results back to the server without the user ever knowing.
The code to do this examination can be a little tricky due to cross browser issues. Here is a snippet of Javascript that can do the evaluation (based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri):
<pre>function hasLinkBeenVisited(url) {
var link = document.createElement('a');
link.href = url;
document.body.appendChild(link);
if (link.currentStyle) {
var color = link.currentStyle.color;
if (color == '#ff0000')
return true;
return false;
} else {
link.setAttribute("href",url);
var computed_style = document.defaultView.getComputedStyle( link, null );
if (computed_style) {
if (computed_style.color == 'rgb(255, 0, 0)')
return true;
}
return false;
}
}</pre>
The code above assumes that CSS rules are making links that have been visited red (#ff0000) and new links a different color.
Ajax Can Be Used To Examine Thousands Of Links Dynamically
A clever web developer can use Ajax to dynamically load a list of links for each new visitor. A couple hundred links can be grabbed at a time and examined without slowing down the page noticeably. If you spend just a few seconds on a website thousands of URLs can be checked.
The Limitations
This technique does not allow sites to read your entire browser history. It only allows a site to test a predefined list of URLs to see if you have visited any of them. It’s like the card game “go fish”, you can’t see the players cards but you can ask them if they have any particular card. Most likely the way this technology would be used is to examine a list of competing URLs. This could give a website valuable information on who their competitors really are and what information on those sites is being looked at.
How To Stop People From Spying On Your Browser History
There are two sure fire ways to stop people from stealing your browser history.
- The nuclear option is to disable JavaScript within your browser. In Firefox you’d just go to Tools -> Options -> Content tab and then uncheck “Enable JavaScript”. This method is very limiting because you probably enjoy all the JavaScript goodness on the web.
- Limit your browser history. The less browser history you store the fewer URLs someone can steal from that history. In Firefox you can change the amount of browser history by going to Tools -> Options -> Privacy and then either uncheck the “Remember visited pages” checkbox or change the number of days that history is stored for.
UPDATE: Spyjax Has Been Turned Off
I will no longer be hosting Spyjax. It’s been fun and very interesting, but it’s time to call it quits. Read more here.
Introducing Spyjax
One Line Of JavaScript And You Can Start Spying
Ok, now that I’ve explained how this all works and how you can protect yourself, I want to introduce you to a small piece of code that I wrote that makes it super easy for you to spy on your website visitors. It’s called Spyjax and here’s how it works.
-
Sign Up For An Account
All that’s required is your email address and a password of your choosing. I promise I will not send you any unwanted email or give your email address away to anyone else. Sign Up For Spyjax
-
Add URLs To Look For
You can add custom URLs, the top 12 Google results for any search, or just look for the home page of the top 10,000 sites on the web.
-
Put One Line Of Code At The Bottom Of Your Pages
A simple <script> tag will insert all the JavaScript needed to spy on your visitors as well as communicate with the Spyjax service to record the results.
-
Optionally Add A Spyjax Widget To Your Site
If you just want to have some fun and show people that you’re spying on them you can put one of three Spyjax widgets on your website. There’s one on this site on the right sidebar.
Update: Spyjax Only Gives You Anonymous Data
There have been some concerns raised since I first published this article and released Spyjax. So I just wanted to point out that the service does not link specific websites with identifiable user data. It simply tells you things like 36% of your visitors have been to http://www.google.com/. Basically all the data collected by Spyjax is anonymous and shown in aggregate form. Obviously this same technology could be used to track specific user’s history, especially if you’re on a site that records your identity in some way. In my humble opinion it’s much better to debate these issues in the open than to have this sort of technology floating around without people knowing about it.
So You Just Want The Code?
Well I’m not greedy, so I’m giving it away for free. You can do anything you want with it, just don’t blame me if it breaks or gets you in trouble.
You can download the code here: Spyjax Code. It’s got an open source Attribution Assurance License attached to it.
Check out these services by my company MerchantOS:
- POS Software – A point of sale and inventory control system for small retailers.
- Bike Shop Point of Sale – A full POS solution specifically designed for independent bicycle retailers.
Pingback: oriolrius lifestream » Spyjax - Your browser history is not private!
Many thanks for this, very interesting. In terms of defending oneself against this sort of thing, the type and level of control and protection seems to be browser dependent – for instance in Opera deleting a visited page history won’t delete the same page’s visited link history, but you can manually clear just the visited links history.
I’ve experimented and produced a table comparing Opera, Internet Explorer and Firefox – at http://www.consumingexperience.com/2007/06/spyjax-websites-can-see-your-visited.html.
Pingback: Cars Tech and Babes Blog
never knew that this stuff exist
Pingback: MarketingHacks - » Check Your Competition with this Contact Form Hack to Steal Browser History
And a lot of you guys are who will eventually make the ‘net so scary that nobody in their right mind will venture there. Reminds me of “Minority Report”.
Pingback: vagabundia » Blog Archive » EspÃas por todos lados
Pingback: Dimblog v2 - Webmaster Articles, Design Trends, SEO Advice, Web Marketing Tips
I will be trying this out. I am putting together a big online PR campaign and so im going to target competitor search terms. (using seodigger)
with this tool, I will obviously see where users have come from, which means I will tip off the display advertising team, so they can maybe place ads on these sites
I will also do seodigger on these sites and see where they rank, and from that i can also look at the best google territory to target.
and of course when a user actally converts into a sale, i will understand their pathways to my site. form that i can see what works best….very valuable
Pingback: I Can See What You’re Browsing….–thirteen ball
Pingback: Clarification - India Broadband Forum
Thats right but disabling the javascript is not a good solution, i think.
In this world nothing is private
thanks for this message for demostration this.
Who knows, maybe this sight is viewing your browsing history???
Firefox users might try tools -> options, Content section, Colors.. button under Font and Colors group, and unchecking Allow pages to choose their own color…, as well as setting link colors to something non standard. Think this could stop the spyjax (too lazy atm to try myself)? Not sure if there is anything you can do about that CSS thing Bob Saget showed. Other than disable CSS which is just out of the question.
Pingback: Fingerprint - Erste Gedanken « Benwebtrekk’s Blog
Pingback: Start Panic!
Pingback: Tagz | "Spyjax" | Comments
Pingback: » Poznaj nazwisko internauty, który odwiedza twoj? stron? -- Niebezpiecznik.pl --
Pingback: Three Ways Sites Can Track Visitors Without Cookies, Part 2 | JasonMorrison.net
Pingback: Sysomos Audience o la intimidad violada | El blog de Paradigma
Pingback: Paradigma Tecnológico: La compañía ágil » Sysomos Audience o la intimidad violada