Clicking on red boxes will reveal your interests

I came across this interesting site that cross references your browsing history with the popular feed reader feedly to determine one’s area of interests. When I first visited the website, I was curious about it’s mechanism. I wasn’t sure what to expect; it asked me to click on red boxes and claims that it will determine my interests based on some advanced neuroscience. I did as told because it seems like a harmless thing to do. As I was mechanically clicking boxes, I was wondering how on earth would clicking red boxes reveal anything. Could the order matter? Could the number of wrong clicks reveal that I am somewhat rash, or have some sort of compulsive disorder?

As an aside, I noticed that when my mouse hovered over the boxes, it showed that they were links to websites that I have visited, I thought that it might be one of those click jacking websites, but closer inspection of the source ruled that out.

When I was finally done, I was presently surprised about the result. It did match my interests to a large extent. So I became more curious and peeped into its inner working. Essentially, the boxes represents websites with a category tag, red boxes indicate visited websites, clicking it adds it to a list, ranking the interest is just ranking the tags.

I thought it was a neat idea and wondered if this can be done automatically instead of having the user manually do the clicking. So I thought about using JQuery to select visited links, and realised the query returned nothing. I then tried changing the CSS to only show visited links, or to make the text way bigger for visited links so that it is easier to click on. None of these worked either, and so I started to do some research.

It turns out what I was trying to do has security implications. The feature I want can be used by malicious website to detect a user’s browsing history, and we know that’s not good ;). If that were allowed, it expose a covert channel, which is an unintended channel which information can leak through. For example, detecting whether a link is visited or not acts like a litmus paper with which information about the browsing history can be leaked to the website.

The methods in these articles describing how that could be done.

One can come up with a list of websites and use Javascript to select those that have been visited before and send them to a server, and this can be done automatically when the page load.

If that is not allowed, one can still work around it if links were allowed to be different in sizes. Because the status of links can be learned by querying other elements of the page which may have been resized because of the difference in sizes.

These holes have been fixed and we can have some confidence that our browsing history is still private, for now.


Published by

One thought on “Clicking on red boxes will reveal your interests”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s